Traffic from VXLAN networks is exposed with local VIDs to br-ethX bridge

Bug #1643493 reported by Vladislav Odintsov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-vsphere
New
Undecided
Unassigned

Bug Description

On stable/mitaka branch (head commit: 1bc2d6d) I see wrong behaviour, when using VLAN and VXLAN tenant networks simultaneously. When packet arrives br-tun (ingress packet), it's assigned with local vlan ID, e.g. 10 and this packet is sent to integration bridge. In br-int this packet matches a common flow like this:
cookie=0x826acdefc21bef5c, duration=7599.982s, table=0, n_packets=3169, n_bytes=252218, idle_age=19, priority=0 actions=NORMAL

So with VXLAN networks only, this packet goes to br-sec and arrives to destination VM - OK.
But if we use both (VLAN and VXLAN tenant networks), this packet goes to both bridges: br-sec and br-ethX. Such behaviour can have a security impact on customers: customer with vlan network's segmentation ID 10 can see traffic from customers, which local VLAN ID is 10.

In my small testing lab to check my understanding I've added this flow and local VIDs stopped outgoing from br-ethX:

# echo "cookie=0x826acdefc21bef5c, in_port=3 actions=output:4" | ovs-ofctl add-flows br-int -

in_port=3 - patch from br-tun
output:4 - patch to br-sec.

Can somebody suggest me how to fix this issue and propose to upstream repo?

Rgrds,
Vlad

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.