From d8f5f4e2e9847db68388cd7f89b00e10e9917d80 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Tue, 3 Jul 2018 12:24:47 -0400 Subject: [PATCH] Fix virtlockd-admin.socket syntax (bz #1586239) nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz #1547237) --- ...d-fix-typo-in-virtlockd-admin.socket.patch | 36 ++++++ ...e-pcap-buffer-size-to-be-compatible-.patch | 110 ++++++++++++++++++ libvirt.spec | 12 +- 3 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 0004-lockd-fix-typo-in-virtlockd-admin.socket.patch create mode 100644 0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch diff --git a/0004-lockd-fix-typo-in-virtlockd-admin.socket.patch b/0004-lockd-fix-typo-in-virtlockd-admin.socket.patch new file mode 100644 index 0000000..a6b4bcd --- /dev/null +++ b/0004-lockd-fix-typo-in-virtlockd-admin.socket.patch @@ -0,0 +1,36 @@ +From fb327ac2c3d721b4002852c520d9f39a35183e0d Mon Sep 17 00:00:00 2001 +Message-Id: +From: Jim Fehlig +Date: Wed, 14 Mar 2018 16:42:39 -0600 +Subject: [PATCH] lockd: fix typo in virtlockd-admin.socket + +Commit ce7ae55ea1 introduced a typo in virtlockd-admin socket file + +/usr/lib/systemd/system/virtlockd-admin.socket:7: Unknown lvalue +'Server' in section 'Socket' + +Change 'Server' to 'Service'. + +Signed-off-by: Jim Fehlig +Reviewed-by: Erik Skultety +Signed-off-by: Cole Robinson +--- + src/locking/virtlockd-admin.socket.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in +index 1fa0a3dc33..2a7500f3d0 100644 +--- a/src/locking/virtlockd-admin.socket.in ++++ b/src/locking/virtlockd-admin.socket.in +@@ -4,7 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock +-Server=virtlockd.service ++Service=virtlockd.service + + [Install] + WantedBy=sockets.target +-- +2.17.1 + diff --git a/0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch b/0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch new file mode 100644 index 0000000..7078ad4 --- /dev/null +++ b/0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch @@ -0,0 +1,110 @@ +From ce5aebeacd10a1c15cb3ee46a59c8b5ff235589e Mon Sep 17 00:00:00 2001 +Message-Id: +From: Laine Stump +Date: Wed, 25 Apr 2018 17:12:03 -0400 +Subject: [PATCH] nwfilter: increase pcap buffer size to be compatible with + TPACKET_V3 + +When an nwfilter rule sets the parameter CTRL_IP_LEARNING to "dhcp", +this turns on the "dhcpsnoop" thread, which uses libpcap to monitor +traffic on the domain's tap device and extract the IP address from the +DHCP response. + +If libpcap on the host is built with HAVE_TPACKET3 defined (to enable +support for TPACKET_V3), the dhcpsnoop code's initialization of the +libpcap socket would fail with the following error: + + virNWFilterSnoopDHCPOpen:1134 : internal error: pcap_setfilter: can't remove kernel filter: Bad file descriptor + +It turns out that this was because TPACKET_V3 requires a larger buffer +size than libvirt was setting (we were setting it to 128k). Changing +the buffer size to 256k eliminates the error, and the dhcpsnoop thread +once again works properly. + +A fuller explanation of why TPACKET_V3 requires such a large buffer, +for future git spelunkers: + +libpcap calls setsockopt(... SOL_PACKET, PACKET_RX_RING...) to setup a +ring buffer for receiving packets; two of the attributes sent to this +API are called tp_frame_size, and tp_frame_nr. If libpcap was built +with HAVE_TPACKET3 defined, tp_trame_size is set to MAXIMUM_SNAPLEN +(defined in libpcap sources as 262144) and tp_frame_nr is set to: + + [the buffer size we set, i.e. PCAP_BUFFERSIZE i.e. 262144] / tp_frame_size. + +So if PCAP_BUFFERSIZE < MAXIMUM_SNAPLEN, then tp_frame_nr (the number +of frames in the ring buffer) is 0, which is nonsensical. This same +value is later used as a multiplier to determine the size for a call +to malloc() (which would also fail). + +(NB: if HAVE_TPACKET3 is *not* defined, then tp_frame_size is set to +the snaplen set by the user (in our case 576) plus a small amount to +account for ethernet headers, so 256k is far more than adequate) + +Since the TPACKET_V3 code in libpcap actually reads multiple packets +into each frame, it's not a problem to have only a single frame +(especially when we are monitoring such infrequent traffic), so it's +okay to set this relatively small buffer size (in comparison to the +default, which is 2MB), which is important since every guest using +dhcp snooping in a nwfilter rule will hold 2 of these buffers for the +entire life of the guest. + +Thanks to Christian Ehrhardt for discovering that buffer size was the +problem (this was not at all obvious from the error that was logged!) + +Resolves: https://bugzilla.redhat.com/1547237 +Fixes: https://bugs.launchpad.net/libvirt/+bug/1758037 + +Signed-off-by: Laine Stump +Reviewed-by: Christian Ehrhardt (V1) +Reviewed-by: John Ferlan +Tested-by: Christian Ehrhardt +Signed-off-by: Cole Robinson +--- + src/nwfilter/nwfilter_dhcpsnoop.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c +index 6069e70460..50cfb944a2 100644 +--- a/src/nwfilter/nwfilter_dhcpsnoop.c ++++ b/src/nwfilter/nwfilter_dhcpsnoop.c +@@ -256,10 +256,21 @@ struct _virNWFilterDHCPDecodeJob { + # define DHCP_BURST_INTERVAL_S 10 /* sec */ + + /* +- * libpcap 1.5 requires a 128kb buffer +- * 128 kb is bigger than (DHCP_PKT_BURST * PCAP_PBUFSIZE / 2) ++ * NB: Any libpcap built with HAVE_TPACKET3 will require ++ * PCAP_BUFFERSIZE to be at least 262144 (although ++ * pcap_set_buffer_size() with a lower value will succeed, and the ++ * error will only show up later when pcap_setfilter() is called). ++ * ++ * It is possible that in the future libpcap could increase the ++ * minimum size even further, but due to the fact that each guest ++ * using dhcp snooping keeps 2 pcap sockets open (and thus 2 buffers ++ * allocated) for the life of the guest, we want to minimize the ++ * length of the buffer, so instead of leaving it at the default size ++ * (2MB), we are setting it to the minimum viable size and including ++ * this clue in the source to help quickly resolve the problem when/if ++ * it reoccurs. + */ +-# define PCAP_BUFFERSIZE (128 * 1024) ++# define PCAP_BUFFERSIZE (256 * 1024) + + # define MAX_QUEUED_JOBS (DHCP_PKT_BURST + 2 * DHCP_PKT_RATE) + +@@ -1114,6 +1125,11 @@ virNWFilterSnoopDHCPOpen(const char *ifname, virMacAddr *mac, + goto cleanup_nohandle; + } + ++ /* IMPORTANT: If there is any failure of *any* pcap_* function ++ * during setup of the socket, look to the comment where ++ * PCAP_BUFFERSIZE is defined. It may be too small, even if the ++ * generated error doesn't imply that. ++ */ + if (pcap_set_snaplen(handle, PCAP_PBUFSIZE) < 0 || + pcap_set_buffer_size(handle, PCAP_BUFFERSIZE) < 0 || + pcap_activate(handle) < 0) { +-- +2.17.1 + diff --git a/libvirt.spec b/libvirt.spec index 9f03c30..8babc25 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -252,7 +252,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 4.1.0 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -265,6 +265,11 @@ Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz Patch1: 0001-tests-force-use-of-NORMAL-TLS-priority-in-test-suite.patch Patch2: 0001-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch Patch3: 0002-cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-.patch +# Fix virtlockd-admin.socket syntax (bz #1586239) +Patch5: 0004-lockd-fix-typo-in-virtlockd-admin.socket.patch +# nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz +# #1547237) +Patch4: 0005-nwfilter-increase-pcap-buffer-size-to-be-compatible-.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2199,6 +2204,11 @@ exit 0 %changelog +* Tue Jul 03 2018 Cole Robinson - 4.1.0-4 +- Fix virtlockd-admin.socket syntax (bz #1586239) +- nwfilter: increase pcap buffer size to be compatible with TPACKET_V3 (bz + #1547237) + * Mon Jun 18 2018 Daniel P. Berrangé - 4.1.0-3 - Add new CPU features for speculative store bypass (CVE-2018-3639)