neutron

OVS unnecessarily drops rule on setup_arp_protection

Bug #1520013 reported by Kevin Benton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Kevin Benton

Bug Description

in the setup_arp_protection call of OVS, the first step is always to remove all of the rules for that port. However, in the majority of the cases, the jump rule will be added right back in so this is a waste of resources.

The linux bridge ARP spoofing only clears the rules if ARP spoofing protection needs to be removed.

https://github.com/openstack/neutron/blob/66eced001404064442f27f2fff28d5c4f2e18c18/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py#L32

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/250090

Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)
status: New → In Progress
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This looks like may have a bit of a performance impact if run a gazillion times.

Changed in neutron:
importance: Undecided → High
tags: added: loadimpact
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/250119

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/250121

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/250090
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ea4165c2af2ad5c7b5423e25c507598ebd30f7b5
Submitter: Jenkins
Branch: master

commit ea4165c2af2ad5c7b5423e25c507598ebd30f7b5
Author: Kevin Benton <email address hidden>
Date: Wed Nov 25 15:42:46 2015 -0800

    Don't drop ARP table jump during OVS rewiring

    The previous OVS ARP spoofing code was dropping the rule to jump to
    the ARP protection table each time it was called. This call was
    unnecessary since the majority of port updates are not turning
    off port security.

    This patch adjusts the logic to only drop the jump rule if port-sec
    is disabled or if it is a network port. The existing functional tests
    ensure that connectivity works as expected.

    Closes-Bug: #1520013
    Change-Id: I7b396d758c2d4c7e1004257d432b210bf3ee5c66

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/250121
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6059a8b5feb6c372ccbabdbaa99652d7ffa217b
Submitter: Jenkins
Branch: stable/kilo

commit a6059a8b5feb6c372ccbabdbaa99652d7ffa217b
Author: Kevin Benton <email address hidden>
Date: Wed Nov 25 18:36:09 2015 -0800

    Don't drop ARP table jump during OVS rewiring

    The previous OVS ARP spoofing code was dropping the rule to jump to
    the ARP protection table each time it was called. This call was
    unnecessary since the majority of port updates are not turning
    off port security.

    This patch adjusts the logic to only drop the jump rule if port-sec
    is disabled or if it is a network port. The existing functional tests
    ensure that connectivity works as expected.

    Closes-Bug: #1520013
    Change-Id: I7b396d758c2d4c7e1004257d432b210bf3ee5c66
    (cherry picked from commit ea4165c2af2ad5c7b5423e25c507598ebd30f7b5)

tags: added: in-stable-kilo
tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/250119
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c78ad00d6b0e0b9c0eec45c7fbd1ba732d6ee17e
Submitter: Jenkins
Branch: stable/liberty

commit c78ad00d6b0e0b9c0eec45c7fbd1ba732d6ee17e
Author: Kevin Benton <email address hidden>
Date: Wed Nov 25 15:42:46 2015 -0800

    Don't drop ARP table jump during OVS rewiring

    The previous OVS ARP spoofing code was dropping the rule to jump to
    the ARP protection table each time it was called. This call was
    unnecessary since the majority of port updates are not turning
    off port security.

    This patch adjusts the logic to only drop the jump rule if port-sec
    is disabled or if it is a network port. The existing functional tests
    ensure that connectivity works as expected.

    Closes-Bug: #1520013
    Change-Id: I7b396d758c2d4c7e1004257d432b210bf3ee5c66
    (cherry picked from commit ea4165c2af2ad5c7b5423e25c507598ebd30f7b5)

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0b1

This issue was fixed in the openstack/neutron 8.0.0.0b1 development milestone.

Doug Hellmann (doug-hellmann)
Changed in neutron:
status: Fix Committed → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 7.0.1

This issue was fixed in the openstack/neutron 7.0.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.