Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hello release team,
a nasty bug made it into the Debian 10 ("buster") version of softflowd,
and I'd like to fix that in a stable point release.
Due to a broken flow aggregation, the flow table might overflow,
resulting in forced flow expiration. Which, as I was told, can lead to
constant 100% CPU usage of the softflowd process. Another effect is the
resulting flow files captured by nfcapd(1) (from the nfdump package)
are way bigger then before the upgrade, and nfcapd creating a lot of
noise in the syslog as well.
This was fixed upstream although not quite in an obvious way - thanks
to bisecting this wasn't a big problem anyway. According to tests done
by the reporter the fix ended the massive CPU usage, for the other
effects I can confirm the desired behaviour as seen in the previous
Debian 9 ("stretch") version is restored as well.
For the next stable point release, version 0.9.9-5+deb10u1 was already
uploaded to the applicable queue.
Suggested one-line description: Fix broken netflow aggregation
Regards,
Christoph
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.19 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru softflowd-0.9.9/debian/changelog softflowd-0.9.9/debian/changelog
--- softflowd-0.9.9/debian/changelog 2018-10-26 17:10:09.000000000 +0200
+++ softflowd-0.9.9/debian/changelog 2019-12-05 00:21:02.000000000 +0100
@@ -1,3 +1,10 @@
+softflowd (0.9.9-5+deb10u1) buster; urgency=medium
+
+ * Fix roken flow aggregation which might result in flow table overflow
+ and 100% CPU usage.
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 05 Dec 2019 00:21:02 +0100
+
softflowd (0.9.9-5) unstable; urgency=high
* Don't migrate legacy config if it wasn't modified. Closes: #910214
diff -Nru softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch
--- softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch 1970-01-01 01:00:00.000000000 +0100
+++ softflowd-0.9.9/debian/patches/cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch 2019-12-05 00:21:02.000000000 +0100
@@ -0,0 +1,68 @@
+Subject: [ Add option "-a" for reading pcap file and ] fix some bugs
+Origin: softflowd-0.9.9-22-ge6d29a1 <https://github.com/irino/softflowd/commit/e6d29a1>
+Upstream-Author: Hitoshi Irino <irino@sfc.wide.ad.jp>
+Date: Sun May 26 23:00:41 2019 +0900
+Comment: Fixes a regression introduced in buster: The flow aggregation
+ is broken, causing a new flow to generated for virtually each packet.
+ If the daemon sees a lot of traffic, the flow table might overflow,
+ resulting in forced expiration and 100% CPU usage.
+ .
+ Thanks Johanna Jerzembeck for reporting and testing.
+
+ - fix flow_compare for comparing vlan and ether
+ [ - fix missing sequence in netflow v9 ]
+
+
+--- a/softflowd.c
++++ b/softflowd.c
+@@ -55,6 +55,8 @@
+ static int verbose_flag = 0; /* Debugging flag */
+ static u_int16_t if_index = 0; /* "manual" interface index */
+
++static int track_level;
++
+ /* Signal handler flags */
+ static volatile sig_atomic_t graceful_shutdown_request = 0;
+
+@@ -144,15 +146,21 @@
+ {
+ /* Be careful to avoid signed vs unsigned issues here */
+ int r;
++ if (track_level == TRACK_FULL_VLAN || track_level == TRACK_FULL_VLAN_ETHER) {
++ if (a->vlanid[0] != b->vlanid[0])
++ return (a->vlanid[0] > b->vlanid[0] ? 1 : -1);
++
++ if (a->vlanid[1] != b->vlanid[1])
++ return (a->vlanid[1] > b->vlanid[1] ? 1 : -1);
++ }
+
+- if (a->vlanid != b->vlanid)
+- return (a->vlanid > b->vlanid ? 1 : -1);
+-
++ if (track_level == TRACK_FULL_VLAN_ETHER) {
+ if ((r = memcmp(&a->ethermac[0], &b->ethermac[0], 6)) != 0)
+ return (r > 0 ? 1 : -1);
+
+ if ((r = memcmp(&a->ethermac[1], &b->ethermac[1], 6)) != 0)
+ return (r > 0 ? 1 : -1);
++ }
+
+ if (a->af != b->af)
+ return (a->af > b->af ? 1 : -1);
+@@ -1526,7 +1534,7 @@
+
+ ft->param.max_flows = DEFAULT_MAX_FLOWS;
+
+- ft->param.track_level = TRACK_FULL;
++ track_level = ft->param.track_level = TRACK_FULL;
+
+ ft->param.tcp_timeout = DEFAULT_TCP_TIMEOUT;
+ ft->param.tcp_rst_timeout = DEFAULT_TCP_RST_TIMEOUT;
+@@ -1882,6 +1890,7 @@
+ usage();
+ exit(1);
+ }
++ track_level = flowtrack.param.track_level;
+ break;
+ case 'L':
+ hoplimit = atoi(optarg);
diff -Nru softflowd-0.9.9/debian/patches/series softflowd-0.9.9/debian/patches/series
--- softflowd-0.9.9/debian/patches/series 2018-09-14 19:40:33.000000000 +0200
+++ softflowd-0.9.9/debian/patches/series 2019-12-05 00:21:02.000000000 +0100
@@ -14,3 +14,4 @@
cherry-pick.softflowd-0.9.9-13-g49c039a.added-define-default-source-line-to-avoid-warning-in-linux.patch
cherry-pick.softflowd-0.9.9-14-g8a47e87.adding-current-repository-information-in-readme.patch
cherry-pick.softflowd-0.9.9-16-gbbd0685.add-check-of-the-length-of-string-for-i-interface-option.patch
+cherry-pick.softflowd-0.9.9-22-ge6d29a1.fix-some-bugs.patch
Attachment:
signature.asc
Description: PGP signature