On Fri, Jun 19, 2020 at 4:48 AM Lorenzo Bianconi <lore...@kernel.org> wrote:
>
> ovs connection tracking module performs de-fragmentation on incoming
> fragmented traffic. Take info account if traffic has been de-fragmented
> in execute_check_pkt_len action otherwise we will perform the wrong
> nested action considering the original packet size. This issue typically
> occurs if ovs-vswitchd adds a rule in the pipeline that requires connection
> tracking (e.g. OVN stateful ACLs) before execute_check_pkt_len action.
>
> Fixes: 4d5ec89fc8d14 ("net: openvswitch: Add a new action check_pkt_len")
> Signed-off-by: Lorenzo Bianconi <lore...@kernel.org>
> ---
> net/openvswitch/actions.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index fc0efd8833c8..9f4dd64e53bb 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c
> @@ -1169,9 +1169,10 @@ static int execute_check_pkt_len(struct datapath *dp,
> struct sk_buff *skb,
> struct sw_flow_key *key,
> const struct nlattr *attr, bool last)
> {
> + struct ovs_skb_cb *ovs_cb = OVS_CB(skb);
> const struct nlattr *actions, *cpl_arg;
> const struct check_pkt_len_arg *arg;
> - int rem = nla_len(attr);
> + int len, rem = nla_len(attr);
> bool clone_flow_key;
>
> /* The first netlink attribute in 'attr' is always
> @@ -1180,7 +1181,8 @@ static int execute_check_pkt_len(struct datapath *dp,
> struct sk_buff *skb,
> cpl_arg = nla_data(attr);
> arg = nla_data(cpl_arg);
>
> - if (skb->len <= arg->pkt_len) {
> + len = ovs_cb->mru ? ovs_cb->mru : skb->len;
> + if (len <= arg->pkt_len) {
We could also check for the segmented packet and use segment length
for this check.
