On 4/16/21 2:44 PM, Flavio Leitner wrote:
> On Fri, Apr 16, 2021 at 02:06:31PM +0200, David Marchand wrote:
>> Skipping further processing of invalid IP packets helps avoid crashes
>> but it does not help to figure out if the malformed packets are still
>> present on the network.
>>
>> Add coverage counters for IPv4 and IPv6 sanity checks so that we know
>> there are some invalid packets.
>>
>> Dump such whole packets in debug mode.
>>
>> Signed-off-by: David Marchand
>> Acked-by: Eelco Chaudron
>> ---
>
> The patch looks good to me.
>
> Generated log dumping the packet correctly:
> 2021-04-16T12:37:25.525Z|4|flow(handler21)|DBG|invalid packet for
> ipv6_sanity_check: port 1, size 86
> 33 33 ff 00 00 02 7a d0-49 c1 c0 e9 86 dd 60 00
>
> 0010 00 00 00 21 3a ff fe 80-00 00 00 00 00 00 78 d0
>
> 0020 49 ff fe c1 c0 e9 ff 02-00 00 00 00 00 00 00 00
>
> 0030 00 01 ff 00 00 02 87 00-74 a2 00 00 00 00 fe 80
>
> 0040 00 00 00 00 00 00 00 00-00 00 00 00 00 02 01 01
>
> 0050 7a d0 49 c1 c0 e9
>
> # ovs-appctl coverage/show | grep miniflow
> miniflow_extract_ipv6_pkt_len_error 0.0/sec 0.000/sec 0.0011/sec
> total: 4
>
> Acked-by: Flavio Leitner
Thanks, David, Eelco and Flavio!
This is an important change taking into account recent security issues
due to malformed packets. Applied to master.
Best regards, Ilya Maximets.
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
