Fix byte count on fragmented packets in tc ct action
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Bodong Wang |
Bug Description
* Explain the bug
First fragmented packets (frag offset = 0) byte len is zeroed
when stolen by ip_defrag(). And since act_ct update the stats
only afterwards (at end of execute), bytes aren't correctly
accounted for such packets.
* How to test
Create OVS bridge with 2 devices $dev1, $dev2 (can be any devices)
Enable HW offload and configure connection tracking OpenFlow rules as below
e.g:
ovs-ofctl del-flows br-ovs
ovs-ofctl add-flow br-ovs arp,actions=normal
ovs-ofctl add-flow br-ovs "table=0, ip,ct_state=-trk actions=
ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=
ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=
Run fragmented icmp ping traffic (e.g ping -s 2000)
dump ovs rules (ovs-appctl dpctl/dump-flows), observe byte count on frag=first rule:
ct_state(
bytes would be zero if bug occurs.
* What it could break.
NA
CVE References
Changed in linux-bluefield (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu Focal): | |
assignee: | nobody → Bodong Wang (bodong-wang) |
importance: | Undecided → Medium |
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the linux-bluefield /5.4.0- 1021.24 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!