Re: [ovs-discuss] vif_plug_representor|INFO|No representor port found
Hi Frode, Thanks for your email and for taking the time to look at this. Kernel version root@usc01a-032-16a:/home/gmckee# uname -r 5.15.0-53-generic Output from the devlink port does not show a hw_addr on the physical port . root@usc01a-032-16a:/home/gmckee# devlink port pci/:07:00.0/65535: type eth netdev enp7s0f0 flavour physical port 0 splittable false pci/:07:00.0/1: type eth netdev enp7s0f0_0 flavour pcivf controller 0 pfnum 0 vfnum 0 external false splittable false function: hw_addr 10:70:fd:ab:cd:01 pci/:07:00.0/2: type eth netdev enp7s0f0_1 flavour pcivf controller 0 pfnum 0 vfnum 1 external false splittable false function: hw_addr 10:70:fd:ab:cd:02 pci/:07:00.0/3: type eth netdev enp7s0f0_2 flavour pcivf controller 0 pfnum 0 vfnum 2 external false splittable false function: hw_addr 10:70:fd:ab:cd:03 pci/:07:00.0/4: type eth netdev enp7s0f0_3 flavour pcivf controller 0 pfnum 0 vfnum 3 external false splittable false function: hw_addr 10:70:fd:ab:cd:04 pci/:07:00.0/5: type eth netdev enp7s0f0_4 flavour pcivf controller 0 pfnum 0 vfnum 4 external false splittable false function: hw_addr 10:70:fd:e2:44:44 pci/:07:00.0/6: type eth netdev enp7s0f0_5 flavour pcivf controller 0 pfnum 0 vfnum 5 external false splittable false function: hw_addr 10:70:fd:e2:a3:02 pci/:07:00.1/131071: type eth netdev enp7s0f1 flavour physical port 1 splittable false pci/:07:00.3/196608: type eth netdev enp7s0f0v1 flavour virtual splittable false pci/:07:00.4/262144: type eth netdev enp7s0f0v2 flavour virtual splittable false Log messages below root@usc01a-032-16a:/home/gmckee# ovn-controller 2022-12-20T21:42:02Z|1|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|2|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|3|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|4|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|5|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|6|vif_plug_representor|WARN|attempt to add function before having knowledge about PF 2022-12-20T21:42:02Z|7|vif_plug_representor|WARN|Unsupported flavour for port 'enp7s0f0v1': VIRTUAL 2022-12-20T21:42:02Z|8|vif_plug_representor|WARN|Unsupported flavour for port 'enp7s0f0v2': VIRTUAL 2022-12-20T21:42:02Z|9|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... 2022-12-20T21:42:02Z|00010|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected 2022-12-20T21:42:02Z|00011|main|INFO|OVN internal version is : [22.03.0-20.21.0-58.3] 2022-12-20T21:42:02Z|00012|main|INFO|OVS IDL reconnected, force recompute. 2022-12-20T21:42:02Z|00013|reconnect|INFO|tcp:172.16.50.87:6642: connecting... 2022-12-20T21:42:02Z|00014|main|INFO|OVNSB IDL reconnected, force recompute. 2022-12-20T21:42:02Z|00015|reconnect|INFO|tcp:172.16.50.87:6642: connected 2022-12-20T21:42:02Z|00016|features|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting to switch 2022-12-20T21:42:02Z|00017|rconn|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting... 2022-12-20T21:42:02Z|00018|features|INFO|OVS Feature: ct_zero_snat, state: supported 2022-12-20T21:42:02Z|00019|main|INFO|OVS feature set changed, force recompute. 2022-12-20T21:42:02Z|00020|ofctrl|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting to switch 2022-12-20T21:42:02Z|00021|rconn|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting... 2022-12-20T21:42:02Z|00022|rconn|INFO|unix:/var/run/openvswitch/br-int.mgmt: connected 2022-12-20T21:42:02Z|1|pinctrl(ovn_pinctrl0)|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting to switch 2022-12-20T21:42:02Z|2|rconn(ovn_pinctrl0)|INFO|unix:/var/run/openvswitch/br-int.mgmt: connecting... 2022-12-20T21:42:02Z|00023|rconn|INFO|unix:/var/run/openvswitch/br-int.mgmt: connected 2022-12-20T21:42:02Z|00024|main|INFO|OVS feature set changed, force recompute. 2022-12-20T21:42:02Z|3|rconn(ovn_pinctrl0)|INFO|unix:/var/run/openvswitch/br-int.mgmt: connected 2022-12-20T21:42:02Z|00025|vif_plug_representor|INFO|No representor port found for lport: c1-sw0-p1 pf-mac: '10:70:fd:df:9c:3a' vf-num: '4' 2022-12-20T21:42:02Z|00026|vif_plug|INFO|Not plugging lport c1-sw0-p1 on direction from VIF plug provider. 2022-12-20T21:42:02Z|00027|vif_plug_representor|INFO|No representor port found for lport: c1-sw0-p1 pf-mac: '10:70:fd:df:9c:3a' vf-num: '4' 2022-12-20T21:42:02Z|00028|vif_plug_representor|INFO|No representor port found for lport: c1-sw0-p1 pf-mac: '10:70:fd:df:9c:3a' vf-num: '4' 2022-12-20T21:42:02Z|00029|lflow|WARN|error parsing actions "reg0[3] = put_dhcp_opts(offerip = 10.200.2.12, classless_static_route = { 10.200.0.0/24,10.200.2.1, 10.200.1.0/24,10.200.2.1, 100.64.0.0/10,10.200.2.1}, hostname =
Re: [ovs-discuss] [ADVISORY] LLDP underflow while parsing malformed Auto Attach TLV (Open vSwitch)
On 12/20/22 22:39, Ilya Maximets wrote: > Description > === > > Multiple versions of Open vSwitch are vulnerable to crafted LLDP > packets causing denial of service, and data underflow attacks. > Triggering the vulnerabilities requires LLDP processing to be enabled > for a specific port. Open vSwitch versions prior to 2.4.0 are not > vulnerable. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) > did not assign the identifier to this issue yet. The identifier will > be communicated separately. Following CVE identifiers have been allocated for the issue (one per TLV type since they can have a slightly different effect): - CVE-2022-4337 for Out-of-Bounds Read in Organization Specific TLV - CVE-2022-4338 for Integer Underflow in Organization Specific TLV The fix referenced in this advisory covers both issues. > This issue does not affect the `lldpd' > project, although they share a code base. The issue is related to > parsing the Auto Attach TLVs, which is specific to the Open vSwitch > implementation. > > > Mitigation > == > > For any version of Open vSwitch, preventing LLDP packets from reaching > Open vSwitch mitigates the vulnerability. We do not recommend > attempting to mitigate the vulnerability this way because of the > following difficulties: > > - Open vSwitch obtains packets before the iptables host firewall, > so ebtables on the Open vSwitch host cannot ordinarily block the > vulnerability. > > - If Open vSwitch is configured to receive and transmit LLDP > messages, the required functionality will need to be disabled > potentially disrupting the network. > > We have found that Open vSwitch is subject to a denial of service, and > possibly a remote code execution exploit when LLDP processing is enabled > on an interface. By default, interfaces are not configured to process > LLDP messages. > > > Fix > === > > Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are > applied to the appropriate branches, and the original patch is located > at: > >https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html > > Recommendation > == > > We recommend that users of Open vSwitch apply the respective patch, or > upgrade to a known patched version of Open vSwitch. These include: > > * 3.0.3 > * 2.17.5 > * 2.16.6 > * 2.15.7 > * 2.14.8 > * 2.13.10 > > > Acknowledgments > === > > The Open vSwitch team wishes to thank the reporter: > > Qian Chen > OpenPGP_0xB9F7EC77C829BF96.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] vif_plug_representor|INFO|No representor port found
Hello, Gavin, Thank you for your interest in the vif plug infrastructure and the representor port plugin. See replies inline below. tir. 20. des. 2022, 19:29 skrev Gavin McKee via discuss < ovs-discuss@openvswitch.org>: > Hi, > > We are hoping someone can help with the following error message. > > Here we add the required options to the logical switch port in OVN North > ovn-nbctl lsp-set-options c1-sw0-p1 requested-chassis=usc01a-032-16a > vif-plug-type=representor vif-plug:representor:pf-mac=10:70:fd:df:9c:3a > vif-plug:representor:vf-num=4 > > When I check the ovn-controller log on the hypervisor I see the following > error message: > 2022-12-20T18:24:42.815Z|00108|vif_plug|INFO|Not plugging lport c1-sw0-p1 > on direction from VIF plug provider. > 2022-12-20T18:24:47.816Z|00109|vif_plug_representor|INFO|No representor > port found for lport: c1-sw0-p1 pf-mac: '10:70:fd:df:9c:3a' vf-num: '4' > > Here is the information for the Mellanox Connect X6 card we are using , > you can see the mac on the physical interface is defined in the entry > vif-plug:representor:pf-mac=*10:70:fd:df:9c:3a* > ``` > root@usc01a-032-16a:/home/gmckee# ip link show enp7s0f0 > 14: enp7s0f0: mtu 9214 qdisc mq master > ovs-system state UP mode DEFAULT group default qlen 1000 > link/ether *10:70:fd:df:9c:3a* brd ff:ff:ff:ff:ff:ff > vf 0 link/ether 10:70:fd:ab:cd:01 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > vf 1 link/ether 10:70:fd:ab:cd:02 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > vf 2 link/ether 10:70:fd:ab:cd:03 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > vf 3 link/ether 10:70:fd:ab:cd:04 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > vf 4 link/ether 10:70:fd:e2:44:44 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > vf 5 link/ether 10:70:fd:e2:a3:02 brd ff:ff:ff:ff:ff:ff, spoof > checking off, link-state disable, trust off, query_rss off > altname enp7s0f0np0 > ``` > > The representor information is as follows > > root@usc01a-032-16a:/home/gmckee# ip link show enp7s0f0_4 > 32: enp7s0f0_4: mtu 1500 qdisc mq state > UP mode DEFAULT group default qlen 1000 > link/ether ae:4e:85:a3:83:22 brd ff:ff:ff:ff:ff:ff > altname enp7s0f0npf0vf4 > > the virtual function has already been assigned to a KVM VM. > > Any help is greatly appreciated . > The representor plugin was developed for and tested with a SmartNIC DPU, which behaves slightly different than a system where the embedded switch is exposed to the host system. Having said that, it was developed using generic interfaces, such as devlink-port [0], so we should be able to make it work. The representor plugin looks up the representor by combining information about PF MAC (`hw_addr`) and VF number from devlink [2], a recent kernel version is required to expose the `hw_addr` attribute. A few questions: Do you see any other messages logged from the vif_plug_representor module? What kernel version is in use? Does the `hw_addr` show up for the PCI_PF flavoured port in `devlink port show`? 0: https://www.kernel.org/doc/html/latest/networking/devlink/devlink-port.html 1: https://github.com/ovn-org/ovn-vif/blob/ce1a36f300a74b4eae55a7fec7d18da8b9218e29/lib/vif-plug-providers/representor/vif-plug-representor.c#L407-L469 -- Frode Nordahl > Gav > > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss