networking-ovn

Unnecessary ACL added for DHCP traffic

Bug #1790900 reported by Daniel Alvarez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Fix Released
Medium
Taoyunxiang

Bug Description

We are adding ACLs to allow DHCP traffic for every subnet but those are not needed since ovn-northd is adding the necessary logical flows to handle the requests/responses. (Actually due to a bug, we weren't adding them after the Port Groups support got merged and this is how I realized).

First it's adding REGBIT_CONNTRACK_DEFRAG to the pre_acl table in the Ingress pipeline [0] and later it's getting sent to conntrack [1] which eventually will hit the DHCP responder [2]

[0] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L3191
[1] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L3318
[2] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L2767

I tried to remove the ACLS that we're adding in networking-ovn and request DHCP from a server. The VM got the response (10.0.0.3) and I'm attaching both the flows getting hit plus the ovn-trace output.

Flows:

table=0, n_packets=245, n_bytes=31200, idle_age=2, priority=100,in_port=2 actions=load:0x8->NXM_NX_REG13[],load:0x4->NXM_NX_REG11[],load:0x5->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],load:0x5->NXM_NX_REG14[],resubmit(,8)
table=8, n_packets=245, n_bytes=31200, idle_age=2, priority=50,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe actions=resubmit(,9)
table=9, n_packets=8, n_bytes=2656, idle_age=2, priority=90,udp,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=resubmit(,10)
table=10, n_packets=1624, n_bytes=192059, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,11)
table=11, n_packets=498, n_bytes=59819, idle_age=2, priority=100,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
table=12, n_packets=515, n_bytes=60829, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,13)
table=13, n_packets=498, n_bytes=59819, idle_age=2, hard_age=65534, priority=100,ip,reg0=0x1/0x1,metadata=0x1 actions=ct(table=14,zone=NXM_NX_REG13[0..15])
table=14, n_packets=26, n_bytes=4250, idle_age=2, priority=2002,ct_state=+new-est+trk,ip,reg14=0x5,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
table=15, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,16)
table=16, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,17)
table=17, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,18)
table=18, n_packets=36, n_bytes=5110, idle_age=2, hard_age=65534, priority=100,ip,reg0=0x2/0x2,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0])),resubmit(,19)
table=19, n_packets=1614, n_bytes=191399, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,20)
table=20, n_packets=8, n_bytes=2656, idle_age=2, priority=100,udp,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=controller(userdata=00.00.00.02.00.00.00.00.00.01.de.10.00.00.00.63.0a.00.00.03.79.0e.20.a9.fe.a9.fe.0a.00.00.02.00.0a.00.00.01.06.0c.0a.c8.10.03.0a.c8.10.02.0a.c8.10.04.33.04.00.00.a8.c0.1a.02.05.a2.01.04.ff.ff.ff.c0.03.04.0a.00.00.01.36.04.0a.00.00.01,pause),resubmit(,21)
table=43, n_packets=547, n_bytes=64394, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,44)
table=44, n_packets=8, n_bytes=2816, idle_age=2, priority=34000,udp,reg15=0x5,metadata=0x1,dl_src=fa:16:3e:8c:ca:24,nw_src=10.0.0.1,tp_src=67,tp_dst=68 actions=ct(commit,zone=NXM_NX_REG13[0..15]),resubmit(,45)
table=45, n_packets=542, n_bytes=63976, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,46)
table=46, n_packets=542, n_bytes=63976, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,47)
table=47, n_packets=522, n_bytes=62424, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,48)
table=48, n_packets=268, n_bytes=31773, idle_age=2, priority=90,ip,reg15=0x5,metadata=0x1,dl_dst=fa:16:3e:00:14:fe,nw_dst=10.0.0.3 actions=resubmit(,49)
table=49, n_packets=274, n_bytes=32025, idle_age=2, priority=50,reg15=0x5,metadata=0x1,dl_dst=fa:16:3e:00:14:fe actions=resubmit(,64)
table=64, n_packets=14, n_bytes=3068, idle_age=2, priority=100,reg10=0x1/0x1,reg15=0x5,metadata=0x1 actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],resubmit(,65),pop:NXM_OF_IN_PORT[]
table=65, n_packets=290, n_bytes=33873, idle_age=2, priority=100,reg15=0x5,metadata=0x1 actions=output:2

OVN_TRACE:

ovn-trace --detailed neutron-cdc8d3ed-9510-4e60-929b-3bbf2c35e2df 'inport == "edd9d341-1bb1-4743-8b51-b37a35ba0a97" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && eth.dst == ff:ff:ff:ff:ff:ff && ip && udp && udp.src == 68 && udp.dst == 67'

# udp,reg14=0x5,vlan_tci=0x0000,dl_src=fa:16:3e:00:14:fe,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=68,tp_dst=67

ingress(dp="private", inport="edd9d3")
--------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4060): inport == "edd9d3" && eth.src == {fa:16:3e:00:14:fe}, priority 50, uuid 8de482a7
    next;
 1. ls_in_port_sec_ip (ovn-northd.c:2776): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 90, uuid d41a3488
    next;
 3. ls_in_pre_acl (ovn-northd.c:3192): ip, priority 100, uuid c4cd96ef
    reg0[0] = 1;
    next;
 5. ls_in_pre_stateful (ovn-northd.c:3319): reg0[0] == 1, priority 100, uuid ce8c6d37
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 6. ls_in_acl (ovn-northd.c:3506): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_d7264c6c_5c0b_48e8_a1a3_d4840bf5ddf4 && ip4), priority 2002, uuid 2a4a36b1
    next;
12. ls_in_dhcp_options (ovn-northd.c:4239): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 100, uuid ae83388c
    reg0[3] = put_dhcp_opts(offerip = 10.0.0.3, classless_static_route = {169.254.169.254/32, 10.0.0.2, 0.0.0.0/0, 10.0.0.1}, dns_server = {10.200.16.3, 10.200.16.2, 10.200.16.4}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.192, router = 10.0.0.1, server_id = 10.0.0.1);
    /* We assume that this packet is DHCPDISCOVER or DHCPREQUEST. */
    next;
13. ls_in_dhcp_response (ovn-northd.c:4268): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4 && udp.src == 68 && udp.dst == 67 && reg0[3], priority 100, uuid ea0c55a3
    eth.dst = eth.src;
    eth.src = fa:16:3e:8c:ca:24;
    ip4.dst = 10.0.0.3;
    ip4.src = 10.0.0.1;
    udp.src = 67;
    udp.dst = 68;
    outport = inport;
    flags.loopback = 1;
    output;

egress(dp="private", inport="edd9d3", outport="edd9d3")
-------------------------------------------------------
 1. ls_out_pre_acl (ovn-northd.c:3194): ip, priority 100, uuid e0a1ca39
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (ovn-northd.c:3321): reg0[0] == 1, priority 100, uuid 56b4f089
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 4. ls_out_acl (ovn-northd.c:3781): outport == "edd9d3" && eth.src == fa:16:3e:8c:ca:24 && ip4.src == 10.0.0.1 && udp && udp.src == 67 && udp.dst == 68, priority 34000, uuid daad37f2
    ct_commit;
    next;
 8. ls_out_port_sec_ip (ovn-northd.c:2815): outport == "edd9d3" && eth.dst == fa:16:3e:00:14:fe && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.3}, priority 90, uuid 2c84f2ee
    next;
 9. ls_out_port_sec_l2 (ovn-northd.c:4518): outport == "edd9d3" && eth.dst == {fa:16:3e:00:14:fe}, priority 50, uuid 0683d60e
    output;
    /* output to "edd9d3", type "" */

At this point I think that we can safely drop the code which adds this ACLs, ie. not creating/maintaining the Port Groups associated to the subnets anymore as they're not needed.

Lucas Alvares Gomes (lucasagomes)
Changed in networking-ovn:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/600365
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=d5a0de261507192b61f2cdf80a537ceaa0792dc3
Submitter: Zuul
Branch: master

commit d5a0de261507192b61f2cdf80a537ceaa0792dc3
Author: Daniel Alvarez <email address hidden>
Date: Thu Sep 6 07:29:45 2018 +0000

    Drop subnet Port Groups

    This patch is dropping the code that creates and handles the
    subnet Port Groups. Those were used to place the ACLs that
    allowed DHCP traffic to reach the responder in the OVN
    pipeline but as explained in the bug description, it's
    not needed anymore.

    Change-Id: I30bee5c5576554b162e66e1b5dfbe734522ab363
    Closes-Bug: #1790900
    Signed-off-by: Daniel Alvarez <email address hidden>

Changed in networking-ovn:
status: Confirmed → Fix Released
Daniel Alvarez (dalvarezs)
Changed in networking-ovn:
assignee: nobody → Daniel Alvarez (dalvarezs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/611244

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/611671

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/rocky)

Reviewed: https://review.openstack.org/611671
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=f58644ac13e1bb261a3c2d533e535ddfb5929a95
Submitter: Zuul
Branch: stable/rocky

commit f58644ac13e1bb261a3c2d533e535ddfb5929a95
Author: Daniel Alvarez <email address hidden>
Date: Thu Sep 6 07:29:45 2018 +0000

    Drop subnet Port Groups

    This patch is dropping the code that creates and handles the
    subnet Port Groups. Those were used to place the ACLs that
    allowed DHCP traffic to reach the responder in the OVN
    pipeline but as explained in the bug description, it's
    not needed anymore.

    Change-Id: I30bee5c5576554b162e66e1b5dfbe734522ab363
    Closes-Bug: #1790900
    Signed-off-by: Daniel Alvarez <email address hidden>
    (cherry picked from commit d5a0de261507192b61f2cdf80a537ceaa0792dc3)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (master)

Reviewed: https://review.openstack.org/611244
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=74a46adfd3248f5e1edb18b39790f9117cf85d6a
Submitter: Zuul
Branch: master

commit 74a46adfd3248f5e1edb18b39790f9117cf85d6a
Author: Daniel Alvarez <email address hidden>
Date: Wed Oct 17 08:23:40 2018 +0200

    Removing leftovers from subnet Port Groups

    This patch is removing a method which was written to insert
    ACLs to allow DHCP traffic. See change [0] and related bug
    for details.

    [0] I30bee5c5576554b162e66e1b5dfbe734522ab363

    Change-Id: I46bde139f8ee836b4b8ecf10de3fc29403505e4d
    Related-Bug: #1790900
    Signed-off-by: Daniel Alvarez <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 6.0.0.0b1

This issue was fixed in the openstack/networking-ovn 6.0.0.0b1 development milestone.

Revision history for this message
Taoyunxiang (taoyunxiang) wrote :

my question:

1.when I create a vm with a sg which has no rules,the vm can not get ip address by dhcp.
2.when i use ovn-trace to fllow it ,i found it was dropped by neutron_pg_drop

in my opinion,the reason why the above test passed,is because when you create an security group or use a default security group ,it allows all the traffic out of the vm

Revision history for this message
Taoyunxiang (taoyunxiang) wrote :

the fllowing is the print of ovn-trace:

[root@ovn1 ~]# ovn-trace --detailed neutron-5fd7118a-4bfa-46ad-b5ad-86948682d319 'inport == "1d3bfbc5-55c2-4e4b-95aa-e951fc79dbef" && eth.src == fa:16:3e:37:76:9b && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67'
# udp,reg14=0x2,vlan_tci=0x0000,dl_src=fa:16:3e:37:76:9b,dl_dst=00:00:00:00:00:00,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=68,tp_dst=67

ingress(dp="tyx-geneve1", inport="1d3bfb")
------------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4060): inport == "1d3bfb" && eth.src == {fa:16:3e:37:76:9b}, priority 50, uuid 2ab5c8dc
    next;
 1. ls_in_port_sec_ip (ovn-northd.c:2776): inport == "1d3bfb" && eth.src == fa:16:3e:37:76:9b && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 90, uuid d9e2bd39
    next;
 6. ls_in_acl (ovn-northd.c:3574): inport == @neutron_pg_drop && ip, priority 2001, uuid b7a5c6b7
    drop;

Changed in networking-ovn:
assignee: Daniel Alvarez (dalvarezs) → Taoyunxiang (taoyunxiang)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/656475

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/657179

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (master)

Change abandoned by Lucas Alvares Gomes (<email address hidden>) on branch: master
Review: https://review.opendev.org/656475
Reason: Duplicated with: https://review.opendev.org/#/c/657179/

Revision history for this message
Taoyunxiang (taoyunxiang) wrote :

Hi,Daniel,

    I find the vm without a security group still can not get ip address now.My environment is OVS/OVN 2.10,openstack Rocky.

    The patch( https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L2767) you mentioned,is pass traffic in the 'ls_in_port_sec_ip' stage . But I can not find any patch you mentioned is about 'ls_in_acl' stage.

   Although you have give the put of 'ovn-trace',but i still do not know how it happens. Please give me some explain.

thanks,
Yun

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/680602

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/681564

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/681567

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/queens)

Change abandoned by Maciej Józefczyk (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/681564
Reason: Needed to be squashed with https://review.opendev.org/#/c/594138/9 because of failing tests.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/rocky)

Reviewed: https://review.opendev.org/680602
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=bb30bfce21a56cf0bf93c9aaa1676c9d4b922eb3
Submitter: Zuul
Branch: stable/rocky

commit bb30bfce21a56cf0bf93c9aaa1676c9d4b922eb3
Author: Daniel Alvarez <email address hidden>
Date: Wed Oct 17 08:23:40 2018 +0200

    Removing leftovers from subnet Port Groups

    This patch is removing a method which was written to insert
    ACLs to allow DHCP traffic. See change [0] and related bug
    for details.

    [0] I30bee5c5576554b162e66e1b5dfbe734522ab363

    Change-Id: I46bde139f8ee836b4b8ecf10de3fc29403505e4d
    Related-Bug: #1790900
    Signed-off-by: Daniel Alvarez <email address hidden>
    (cherry picked from commit 74a46adfd3248f5e1edb18b39790f9117cf85d6a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/queens)

Reviewed: https://review.opendev.org/681567
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=8fdb521b55b95b0d06219f7be6790fe109b344c0
Submitter: Zuul
Branch: stable/queens

commit 8fdb521b55b95b0d06219f7be6790fe109b344c0
Author: Daniel Alvarez <email address hidden>
Date: Wed Oct 17 08:23:40 2018 +0200

    Removing leftovers from subnet Port Groups

    This patch is removing a method which was written to insert
    ACLs to allow DHCP traffic. See change [0] and related bug
    for details.

    [0] I30bee5c5576554b162e66e1b5dfbe734522ab363

    Change-Id: I46bde139f8ee836b4b8ecf10de3fc29403505e4d
    Related-Bug: #1790900
    Signed-off-by: Daniel Alvarez <email address hidden>
    (cherry picked from commit 74a46adfd3248f5e1edb18b39790f9117cf85d6a)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (master)

Change abandoned by Taoyunxiang (<email address hidden>) on branch: master
Review: https://review.opendev.org/657179

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 5.1.0

This issue was fixed in the openstack/networking-ovn 5.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.