neutron

ovs-fw: flows on br-int are overlapping with dvr flows

Bug #1696983 reported by Jakub Libosvar on 2017-06-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Brian Haley

Bug Description

DVR flows use normal action in table 0 on br-int. In ovs firewall, table 0 is used as a detector for ingress and egress VM traffic, sending packets for further filtering in the pipeline. As DVR flows have lower priority, DVR flows are not matched and mac translation doesn't work.

Tags:

Jakub Libosvar (libosvar) on 2017-06-09

Changed in neutron:
assignee:	nobody → Jakub Libosvar (libosvar)
tags:	added: l3-dvr-backlog ovs-fw

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-09: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/472691

Changed in neutron:
status:	New → In Progress

Kevin Benton (kevinbenton) on 2017-06-19

Changed in neutron:
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2017-06-20

Changed in neutron:
assignee:	Jakub Libosvar (libosvar) → Brian Haley (brian-haley)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-22: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/472691
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ce8a0b2b7d73caf078c6634d6dded5117dbed265
Submitter: Jenkins
Branch: master

commit ce8a0b2b7d73caf078c6634d6dded5117dbed265
Author: Jakub Libosvar <email address hidden>
Date: Fri Jun 9 13:41:57 2017 +0000

dvr: Move normal/output br-int flows to table TRANSIENT

    DVR flows are not compatible with OVS firewall flows as firewall flows
    have higher priority. As a consequence, rules for DVR were never match
    as firewall uses output directly.

    This patch replaces flows using normal or output actions and resends
    packets to TRANSIENT table instead. This transient table then uses
    either those normal or output action rules. With this split, we will be
    able to match egress/ingress flows in TRANSIENT table instead of
    LOCAL_SWITCHING putting DVR pipeline in front of OVS firewall pipeline.

Change-Id: I9f738047f131b42d11a90f539435006d16ea7883
Closes-bug: #1696983

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-12: Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/472692
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d559cd53e86fb0a3313289467bf4c56bbe76bcec
Submitter: Jenkins
Branch: master

commit d559cd53e86fb0a3313289467bf4c56bbe76bcec
Author: Jakub Libosvar <email address hidden>
Date: Fri Jun 9 13:59:05 2017 +0000

ovs-fw: Use TRANSIENT table for traffic classification

    Commit ce8a0b2b7d73caf078c6634d6dded5117dbed265 introduces a TRANSIENT
    table where all traffic local to br-int is sent after it's been
    preprocessed by other features using openflow. This patch adopts the
    table.

Change-Id: Ic66c186ab73bad6fcd133f2b9d15e07fd0eebb33
Related-bug: #1696983

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-13: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/483252

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-28: Fix included in openstack/neutron 11.0.0.0b3

This issue was fixed in the openstack/neutron 11.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-01: Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/483252
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2bfd21820fc8c5662dfcd066d96e1590284cdf4c
Submitter: Jenkins
Branch: master

commit 2bfd21820fc8c5662dfcd066d96e1590284cdf4c
Author: Jakub Libosvar <email address hidden>
Date: Thu Jul 13 07:55:38 2017 +0000

ovs-fw: Update internal docs with TRANSIENT table

Commit d559cd53e86fb0a3313289467bf4c56bbe76bcec introduced TRANSIENT
table to ovs firewall but didn't update docs.

Change-Id: I3d5ca5dd89e890d08039a0f4f68c9b755961a020
Related-bug: #1696983

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-04: Change abandoned on neutron (master)

Change abandoned by Jakub Libosvar (<email address hidden>) on branch: master
Review: https://review.openstack.org/472713

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-04:

Change abandoned by Jakub Libosvar (<email address hidden>) on branch: master
Review: https://review.openstack.org/472709

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.