summaryrefslogtreecommitdiff
path: root/datapath
diff options
context:
space:
mode:
authorYi-Hung Wei <yihung.wei@gmail.com>2019-10-15 10:27:48 -0700
committerBen Pfaff <blp@ovn.org>2019-10-18 10:55:47 -0700
commitf1e9590e81908f4d4c67d0f2a405def6bf520c98 (patch)
treeea296fa1190a44ba2c071b0dae0a0933a3995748 /datapath
parent09c33996160399bd7c5e6029f5f18340c7f59a71 (diff)
downloadopenvswitch-f1e9590e81908f4d4c67d0f2a405def6bf520c98.tar.gz
datapath: genetlink: optionally validate strictly/dumps
This patch backports the following upstream commit within the openvswitch kernel module with some checks so that it also works in the older kernel. Upstream commit: commit ef6243acb4782df587a4d7d6c310fa5b5d82684b Author: Johannes Berg <johannes.berg@intel.com> Date: Fri Apr 26 14:07:31 2019 +0200 genetlink: optionally validate strictly/dumps Add options to strictly validate messages and dump messages, sometimes perhaps validating dump messages non-strictly may be required, so add an option for that as well. Since none of this can really be applied to existing commands, set the options everwhere using the following spatch: @@ identifier ops; expression X; @@ struct genl_ops ops[] = { ..., { .cmd = X, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ... }, ... }; For new commands one should just not copy the .validate 'opt-out' flags and thus get strict validation. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'datapath')
-rw-r--r--datapath/conntrack.c9
-rw-r--r--datapath/datapath.c39
-rw-r--r--datapath/meter.c12
3 files changed, 60 insertions, 0 deletions
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index b11a30965..0c0d43bec 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -2283,18 +2283,27 @@ exit_err:
static struct genl_ops ct_limit_genl_ops[] = {
{ .cmd = OVS_CT_LIMIT_CMD_SET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
* privilege. */
.policy = ct_limit_policy,
.doit = ovs_ct_limit_cmd_set,
},
{ .cmd = OVS_CT_LIMIT_CMD_DEL,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
* privilege. */
.policy = ct_limit_policy,
.doit = ovs_ct_limit_cmd_del,
},
{ .cmd = OVS_CT_LIMIT_CMD_GET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = ct_limit_policy,
.doit = ovs_ct_limit_cmd_get,
diff --git a/datapath/datapath.c b/datapath/datapath.c
index 96f7cee68..8a9e54f03 100644
--- a/datapath/datapath.c
+++ b/datapath/datapath.c
@@ -652,6 +652,9 @@ static const struct nla_policy packet_policy[OVS_PACKET_ATTR_MAX + 1] = {
static struct genl_ops dp_packet_genl_ops[] = {
{ .cmd = OVS_PACKET_CMD_EXECUTE,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = packet_policy,
.doit = ovs_packet_cmd_execute
@@ -1441,22 +1444,34 @@ static const struct nla_policy flow_policy[OVS_FLOW_ATTR_MAX + 1] = {
static struct genl_ops dp_flow_genl_ops[] = {
{ .cmd = OVS_FLOW_CMD_NEW,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = flow_policy,
.doit = ovs_flow_cmd_new
},
{ .cmd = OVS_FLOW_CMD_DEL,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = flow_policy,
.doit = ovs_flow_cmd_del
},
{ .cmd = OVS_FLOW_CMD_GET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = flow_policy,
.doit = ovs_flow_cmd_get,
.dumpit = ovs_flow_cmd_dump
},
{ .cmd = OVS_FLOW_CMD_SET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = flow_policy,
.doit = ovs_flow_cmd_set,
@@ -1833,22 +1848,34 @@ static const struct nla_policy datapath_policy[OVS_DP_ATTR_MAX + 1] = {
static struct genl_ops dp_datapath_genl_ops[] = {
{ .cmd = OVS_DP_CMD_NEW,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = datapath_policy,
.doit = ovs_dp_cmd_new
},
{ .cmd = OVS_DP_CMD_DEL,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = datapath_policy,
.doit = ovs_dp_cmd_del
},
{ .cmd = OVS_DP_CMD_GET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = datapath_policy,
.doit = ovs_dp_cmd_get,
.dumpit = ovs_dp_cmd_dump
},
{ .cmd = OVS_DP_CMD_SET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = datapath_policy,
.doit = ovs_dp_cmd_set,
@@ -2278,22 +2305,34 @@ static const struct nla_policy vport_policy[OVS_VPORT_ATTR_MAX + 1] = {
static struct genl_ops dp_vport_genl_ops[] = {
{ .cmd = OVS_VPORT_CMD_NEW,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = vport_policy,
.doit = ovs_vport_cmd_new
},
{ .cmd = OVS_VPORT_CMD_DEL,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = vport_policy,
.doit = ovs_vport_cmd_del
},
{ .cmd = OVS_VPORT_CMD_GET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = vport_policy,
.doit = ovs_vport_cmd_get,
.dumpit = ovs_vport_cmd_dump
},
{ .cmd = OVS_VPORT_CMD_SET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
.policy = vport_policy,
.doit = ovs_vport_cmd_set,
diff --git a/datapath/meter.c b/datapath/meter.c
index b0a92891c..7d8f51a8f 100644
--- a/datapath/meter.c
+++ b/datapath/meter.c
@@ -538,11 +538,17 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb,
static struct genl_ops dp_meter_genl_ops[] = {
{ .cmd = OVS_METER_CMD_FEATURES,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = meter_policy,
.doit = ovs_meter_cmd_features
},
{ .cmd = OVS_METER_CMD_SET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
* privilege.
*/
@@ -550,11 +556,17 @@ static struct genl_ops dp_meter_genl_ops[] = {
.doit = ovs_meter_cmd_set,
},
{ .cmd = OVS_METER_CMD_GET,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = 0, /* OK for unprivileged users. */
.policy = meter_policy,
.doit = ovs_meter_cmd_get,
},
{ .cmd = OVS_METER_CMD_DEL,
+#ifdef HAVE_GENL_VALIDATE_FLAGS
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+#endif
.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
* privilege.
*/
View Lorry Controller Status