commit 2c88fcb5a819432697ac57173a4c2023e86b9b6f
Author: Jakub Libosvar <email address hidden>
Date: Mon Feb 5 17:20:09 2018 +0000
ovs-fw: Fix firewall blink
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.
This patch adds a new mechanism using cookie that can be described in
three states:
1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.
Reviewed: https:/ /review. openstack. org/555769 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=2c88fcb5a81 9432697ac57173a 4c2023e86b9b6f
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 2c88fcb5a819432 697ac57173a4c20 23e86b9b6f
Author: Jakub Libosvar <email address hidden>
Date: Mon Feb 5 17:20:09 2018 +0000
ovs-fw: Fix firewall blink
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.
This patch adds a new mechanism using cookie that can be described in
three states:
1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.
Conflicts: tests/unit/ agent/linux/ openvswitch_ firewall/ test_firewall. py
neutron/
Change-Id: I85d9e49c24ee7c 91229b43cd329c4 2149637f254 45ad6cee6854f87 cc41cba1fa)
Closes-bug: #1708731
(cherry picked from commit 6f7ba76075dd0d6