From 07929da460dcafb98c963c699428259726ba6139 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Tue, 9 Jan 2018 13:35:41 -0800
Subject: [PATCH] Create new ovs ports with dead vlan tag

If the port is not tagged as dead, it is exposed to traffic from other
networks also plugged in the bridge. While neutron is going to tag those
ports as dead once it detects them, there is still window between the
moment os-vif / nova create the port, and the moment neutron plugs the
hole.

To avoid the exposure window, this patch tags the port in the same
ovsdb transaction that creates it.

Change-Id: I36ea4e9c5a7b29ad2192d8135ae93c8d92866c7e
Closes-Bug: #1734320
Co-Authored-By: ???
---
 vif_plug_ovs/linux_net.py                 | 5 +++++
 vif_plug_ovs/tests/unit/test_linux_net.py | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/vif_plug_ovs/linux_net.py b/vif_plug_ovs/linux_net.py
index b84a466..03b6664 100644
--- a/vif_plug_ovs/linux_net.py
+++ b/vif_plug_ovs/linux_net.py
@@ -44,6 +44,8 @@ VF_RE = re.compile("vf(\d+)", re.IGNORECASE)
 # phys_port_name contains PF## or pf##
 PF_RE = re.compile("pf(\d+)", re.IGNORECASE)
 
+DEAD_VLAN_TAG = 4095  # same value used by neutron
+
 
 def _ovs_vsctl(args, timeout=None):
     full_args = ['ovs-vsctl']
@@ -63,6 +65,9 @@ def _create_ovs_vif_cmd(bridge, dev, iface_id, mac,
                         vhost_server_path=None):
     cmd = ['--', '--if-exists', 'del-port', dev, '--',
             'add-port', bridge, dev,
+            # tag the port as dead right away to avoid window when it's exposed
+            # to traffic from other networks
+            'tag=%d' % DEAD_VLAN_TAG,
             '--', 'set', 'Interface', dev,
             'external-ids:iface-id=%s' % iface_id,
             'external-ids:iface-status=active',
diff --git a/vif_plug_ovs/tests/unit/test_linux_net.py b/vif_plug_ovs/tests/unit/test_linux_net.py
index 18dabbb..a1d6850 100644
--- a/vif_plug_ovs/tests/unit/test_linux_net.py
+++ b/vif_plug_ovs/tests/unit/test_linux_net.py
@@ -134,7 +134,7 @@ class LinuxNetTest(testtools.TestCase):
     def test_ovs_vif_port_cmd(self):
         expected = ['--', '--if-exists',
                     'del-port', 'fake-dev', '--', 'add-port',
-                    'fake-bridge', 'fake-dev',
+                    'fake-bridge', 'fake-dev', 'tag=4095',
                     '--', 'set', 'Interface', 'fake-dev',
                     'external-ids:iface-id=fake-iface-id',
                     'external-ids:iface-status=active',
-- 
2.9.4