Bug fix for "openvswitch-datapath-dkms: packet don't pass in postrouting iptables table"

To: 714080@bugs.debian.org, Mehdi Abaakouk <sileht@sileht.net>, Debian Release <debian-release@lists.debian.org>, Ben Pfaff <blp@nicira.com>, Jesse Gross <jesse@nicira.com>
Subject: Bug fix for "openvswitch-datapath-dkms: packet don't pass in postrouting iptables table"
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 25 Jun 2013 22:19:13 +0800
Message-id: <51C9A6E1.7060401@debian.org>

Hi Ben Pfaff, Jesse Gross, the release team, and others,

Mehdi found out the upstream bug fix for this, and I incorporated it as
a patch for the Wheezy version. The patch applied cleanly, and we have
tested it, it really fixes the bug as we expected. We now use the
attached patch in production.

I have attached the debdiff to this message.

Ben, do you agree that this should be applied to the current Wheezy
version? Could you upload it to Sid, or if you cant (lack of time, or
any other reason), would you agree that I NMU it (to Sid first, then
when it's migrated to testing, to wheezy-proposed-updates if the release
team agrees)?

To the release team: would you accept such bug fix? I believe the fix is
rather small, but it is really important for us that it's applied in
Wheezy: this is the cause of major problems using OpenVSwitch with
OpenStack.

Cheers,

Thomas Goirand (zigo)

diff -Nru openvswitch-1.4.2+git20120612/debian/changelog openvswitch-1.4.2+git20120612/debian/changelog
--- openvswitch-1.4.2+git20120612/debian/changelog	2012-08-06 23:59:19.000000000 +0000
+++ openvswitch-1.4.2+git20120612/debian/changelog	2013-06-25 09:53:44.000000000 +0000
@@ -1,3 +1,10 @@
+openvswitch (1.4.2+git20120612-9.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Adds datapath patch: Reset upper layer protocol info on internal devices.
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 25 Jun 2013 09:52:45 +0000
+
 openvswitch (1.4.2+git20120612-9) unstable; urgency=low
 
   * Apply bug-684057-ovs-ctl-Add-support-for-newer-module-name.patch to
diff -Nru openvswitch-1.4.2+git20120612/debian/patches/datapath_Reset_upper_layer_protocol_info_on_internal_devices.patch openvswitch-1.4.2+git20120612/debian/patches/datapath_Reset_upper_layer_protocol_info_on_internal_devices.patch
--- openvswitch-1.4.2+git20120612/debian/patches/datapath_Reset_upper_layer_protocol_info_on_internal_devices.patch	1970-01-01 00:00:00.000000000 +0000
+++ openvswitch-1.4.2+git20120612/debian/patches/datapath_Reset_upper_layer_protocol_info_on_internal_devices.patch	2013-06-25 09:55:37.000000000 +0000
@@ -0,0 +1,42 @@
+Description: datapath: Reset upper layer protocol info on internal devices.
+ It's possible that packets that are sent on internal devices (from
+ the OVS perspective) have already traversed the local IP stack.
+ After they go through the internal device, they will again travel
+ through the IP stack which may get confused by the presence of
+ existing information in the skb. The problem can be observed
+ when switching between namespaces. This clears out that information
+ to avoid problems but deliberately leaves other metadata alone.
+ This is to provide maximum flexibility in chaining together OVS
+ and other Linux components.
+Author: Jesse Gross <jesse@nicira.com>
+Origin: upstream, http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=6467e95332be63d83610a794a42c85bda387ab07;hp=196ba341736b273c1ddf15e2545beec623d95bbd
+Date: Thu, 17 May 2012 18:43:15 +0000 (-0700)
+Signed-off-by: Jesse Gross <jesse@nicira.com>
+Acked-by: Ben Pfaff <blp@nicira.com>
+
+diff --git a/datapath/vport-internal_dev.c b/datapath/vport-internal_dev.c
+index c56f3b2..165eef3 100644
+--- a/datapath/vport-internal_dev.c
++++ b/datapath/vport-internal_dev.c
+@@ -25,6 +25,9 @@
+ #include <linux/skbuff.h>
+ #include <linux/version.h>
+ 
++#include <net/dst.h>
++#include <net/xfrm.h>
++
+ #include "checksum.h"
+ #include "datapath.h"
+ #include "vlan.h"
+@@ -281,6 +284,11 @@ static int internal_dev_recv(struct vport *vport, struct sk_buff *skb)
+ #endif
+ 
+ 	len = skb->len;
++
++	skb_dst_drop(skb);
++	nf_reset(skb);
++	secpath_reset(skb);
++
+ 	skb->dev = netdev;
+ 	skb->pkt_type = PACKET_HOST;
+ 	skb->protocol = eth_type_trans(skb, netdev);
diff -Nru openvswitch-1.4.2+git20120612/debian/patches/series openvswitch-1.4.2+git20120612/debian/patches/series
--- openvswitch-1.4.2+git20120612/debian/patches/series	2012-08-07 02:16:37.000000000 +0000
+++ openvswitch-1.4.2+git20120612/debian/patches/series	2013-06-25 09:54:11.000000000 +0000
@@ -16,3 +16,5 @@
 
 bug-684057-ovs-ctl-Add-support-for-newer-module-name.patch
 debian-changes-1.4.2+git20120612-9
+
+datapath_Reset_upper_layer_protocol_info_on_internal_devices.patch

Reply to:

Follow-Ups:
- Re: Bug fix for "openvswitch-datapath-dkms: packet don't pass in postrouting iptables table"
  - From: Ben Pfaff <blp@nicira.com>
- Re: Bug fix for "openvswitch-datapath-dkms: packet don't pass in postrouting iptables table"
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#714040: transition: glew
Next by Date: Re: Bug#709947 closed by tytso@mit.edu (Theodore Y. Ts'o) (Bug#708307: fixed in e2fsprogs 1.42.8-1)
Previous by thread: Bug#714073: marked as done (nmu: slurm-drmaa_1.0.6-2)
Next by thread: Re: Bug fix for "openvswitch-datapath-dkms: packet don't pass in postrouting iptables table"
Index(es):
- Date
- Thread