commit 6f7ba76075dd0d645ad6cee6854f87cc41cba1fa
Author: Jakub Libosvar <email address hidden>
Date: Mon Feb 5 17:20:09 2018 +0000
ovs-fw: Fix firewall blink
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.
This patch adds a new mechanism using cookie that can be described in
three states:
1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.
Reviewed: https:/ /review. openstack. org/540943 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=6f7ba76075d d0d645ad6cee685 4f87cc41cba1fa
Committed: https:/
Submitter: Zuul
Branch: master
commit 6f7ba76075dd0d6 45ad6cee6854f87 cc41cba1fa
Author: Jakub Libosvar <email address hidden>
Date: Mon Feb 5 17:20:09 2018 +0000
ovs-fw: Fix firewall blink
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.
This patch adds a new mechanism using cookie that can be described in
three states:
1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.
Change-Id: I85d9e49c24ee7c 91229b43cd329c4 2149637f254
Closes-bug: #1708731