Juniper Openstack

RPF check for bridged packets checks source-mac instead of source-ip

Bug #1424942 reported by Praveen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.1
Won't Fix
Medium
Naveen N
Juniper Openstack r2.11 "r2.11"
R2.20
Fix Committed
Medium
Naveen N
Juniper Openstack r2.20-fcs
Trunk
Fix Committed
Medium
Naveen N
Juniper Openstack r3.0-fcs

Bug Description

We want the RPF check to validate source-ip of the packet irrespective of whether packet is bridged or routed. But, in R2.1 when packet is bridged, the RPF check is based on source-mac instead of source-ip.

Tags: vrouter
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : master

Review in progress for https://review.opencontrail.org/8200
Submitter: Naveen N (<email address hidden>)

Ashish Ranjan (aranjan-n)
information type: Proprietary → Public
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/8200
Committed: http://github.org/Juniper/contrail-controller/commit/b032227fcb4ee0824ce5a88b44cb93efd7409008
Submitter: Zuul
Branch: master

commit b032227fcb4ee0824ce5a88b44cb93efd7409008
Author: Naveen N <email address hidden>
Date: Mon May 4 21:45:53 2015 +0530

Pick rpf nexthop for layer2 flow from layer3 route table.

In case of layer2 flows rpf nexthop was getting picked from
layer2 routes only, RPF check should be done on layer3 route
and changing the logic for same.
1> In case of egress flow, if there is a host route then
that route would be used to set RPF nh, this is because
for some baremetal flow agent may not be aware of layer address
2> Ingress flow always check for layer3 route.
Test case for same.
Closes-bug:#1424942
Change-Id: If92f4369332ae602572bc92a627b50b51cb765d9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : R2.20

Review in progress for https://review.opencontrail.org/9983
Submitter: Naveen N (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : master

Review in progress for https://review.opencontrail.org/10161
Submitter: Naveen N (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : R2.20

Review in progress for https://review.opencontrail.org/10174
Submitter: Naveen N (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/9983
Committed: http://github.org/Juniper/contrail-controller/commit/e52f6c3cdd41cb948752103b3360230b552d3f4c
Submitter: Zuul
Branch: R2.20

commit e52f6c3cdd41cb948752103b3360230b552d3f4c
Author: Naveen N <email address hidden>
Date: Mon May 4 21:45:53 2015 +0530

Pick rpf nexthop for layer2 flow from layer3 route table.

In case of layer2 flows rpf nexthop was getting picked from
layer2 routes only, RPF check should be done on layer3 route
and changing the logic for same.
1> In case of egress flow, if there is a host route then
that route would be used to set RPF nh, this is because
for some baremetal flow agent may not be aware of layer address
2> Ingress flow always check for layer3 route.
Test case for same.
Closes-bug:#1424942
Change-Id: If92f4369332ae602572bc92a627b50b51cb765d9
(cherry picked from commit b032227fcb4ee0824ce5a88b44cb93efd7409008)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/10161
Committed: http://github.org/Juniper/contrail-vrouter/commit/a39f4ae6c9547a4ac8557bd563dff62489bf73e3
Submitter: Zuul
Branch: master

commit a39f4ae6c9547a4ac8557bd563dff62489bf73e3
Author: Naveen N <email address hidden>
Date: Mon May 11 13:46:23 2015 +0530

Program flow with invalid key src nexthop, so that rpf check fails

Agent reserves index 2, and this nexthop would never be programmed
in kernel. Whenever agent doesnt find a route for rpf check
this nexthop index would be used to program flow. Hence
removing the check for src nexthop.
Closes-bug:#1424942

Change-Id: I45841f20a749542a7fa0b488bfc5889e5c4d8a54

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/10174
Committed: http://github.org/Juniper/contrail-vrouter/commit/934b07db0282f598d76a64f2a860b091abcc0b40
Submitter: Zuul
Branch: R2.20

commit 934b07db0282f598d76a64f2a860b091abcc0b40
Author: Naveen N <email address hidden>
Date: Mon May 11 13:46:23 2015 +0530

Program flow with invalid key src nexthop, so that rpf check fails

Agent reserves index 2, and this nexthop would never be programmed
in kernel. Whenever agent doesnt find a route for rpf check
this nexthop index would be used to program flow. Hence
removing the check for src nexthop.
Closes-bug:#1424942

Change-Id: I45841f20a749542a7fa0b488bfc5889e5c4d8a54
(cherry picked from commit a39f4ae6c9547a4ac8557bd563dff62489bf73e3)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.