ovsfw issue for allowed_address_pairs

Bug #1697593 reported by Jesse
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Jesse

Bug Description

port's allowed_address_pairs allow different IP and MAC set for port.

The current ovsfw implementation has this issue for allowed_address_pairs with different MAC with VM's MAC:
1. Packets with allowed_address_pairs' MAC and IP (different MAC with VM's MAC) cannot come out from VM because the table=72 OpenFlow only check dl_src=VM-MAC in br-int.
2. Cannot ping from outside to VM's allowed_address_pairs' MAC and IP (different MAC with VM's MAC) because the table=0 OpenFlow only check dl_dst=VM-MAC.

We need to allow the situation that address_pairs with different MAC with VM's MAC.

Suggest change:
1. Do not check dl_src in table=72 because table=71 has checked
dl_src for Egress.
2. Add all allowed MACs in table=0 and table=73 for Ingress.
3. Check dl_dst and nw_dst in table=81 like table=71 does.
4. Do not check dl_dst in table=82 because this check has done
in table=0 and table=73.

Jesse (jesse-5)
Changed in neutron:
assignee: nobody → Jesse (jesse-5)
Jesse (jesse-5)
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/473751

Changed in neutron:
status: New → In Progress
tags: added: ovs-fw
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/473751
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b7892b16b25c34edd9da6b4901b08a58c9725046
Submitter: Jenkins
Branch: master

commit b7892b16b25c34edd9da6b4901b08a58c9725046
Author: jufeng <email address hidden>
Date: Tue Jun 13 15:13:53 2017 +0800

    ovsfw: fix allowed_address_pairs MAC issue

    Current ovsfw implementation does not take care of the different
    MACs in allowed_address_pairs with the VM's MAC.
    This patch use the following method to fix this issue:
    1. Do not check dl_src in table=72 because table=71 has checked
    dl_src for Egress.
    2. Add all allowed MACs in table=0 and table=73 for Ingress.
    3. Do not check dl_dst in table=82 because this check has done
    in table=0 and table=73.
    4. Delete allowed MACs in table=0 and table=73 when needed.

    Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
    Closes-Bug: #1697593

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0rc1

This issue was fixed in the openstack/neutron 11.0.0.0rc1 release candidate.

tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/510039

tags: removed: neutron-proactive-backport-potential ovs-fw
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/510039
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dd153c3bbf9d10feaf05a0f088ce789e55e8bf96
Submitter: Zuul
Branch: stable/ocata

commit dd153c3bbf9d10feaf05a0f088ce789e55e8bf96
Author: jufeng <email address hidden>
Date: Tue Jun 13 15:13:53 2017 +0800

    ovsfw: fix allowed_address_pairs MAC issue

    Current ovsfw implementation does not take care of the different
    MACs in allowed_address_pairs with the VM's MAC.
    This patch use the following method to fix this issue:
    1. Do not check dl_src in table=72 because table=71 has checked
    dl_src for Egress.
    2. Add all allowed MACs in table=0 and table=73 for Ingress.
    3. Do not check dl_dst in table=82 because this check has done
    in table=0 and table=73.
    4. Delete allowed MACs in table=0 and table=73 when needed.

    Conflicts:
     doc/source/devref/openvswitch_firewall.rst
     neutron/agent/linux/openvswitch_firewall/firewall.py
     neutron/agent/linux/openvswitch_firewall/rules.py
     neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
     neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py

    Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
    Closes-Bug: #1697593
    (cherry picked from commit b7892b16b25c34edd9da6b4901b08a58c9725046)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.5

This issue was fixed in the openstack/neutron 10.0.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.