openvswitch firewall flows cause flooding on integration bridge
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
LIU Yulong |
Bug Description
Environment: OpenStack Newton
Driver: ML2 w/ OVS
Firewall: openvswitch
In this environment, we have observed OVS flooding network traffic across all ports in a given VLAN on the integration bridge due to the lack of a FDB entry for the destination MAC address. Across the large fleet of 240+ nodes, this is causing a considerable amount of noise on any given node.
In this test, we have 3 machines:
Client: fa:16:3e:e8:59:00 (10.10.60.2)
Server: fa:16:3e:80:cb:0a (10.10.60.9)
Bystander: fa:16:3e:a0:ee:02 (10.10.60.10)
The server is running a web server using netcat:
while true ; do sudo nc -l -p 80 < index.html ; done
Client requests page using curl:
ip netns exec qdhcp-b07e6cb3-
We should expect to see the communication limited to the client and server. However, the captures below reflect the server->client responses being broadcast out all tap interfaces connected to br-int in the same local vlan:
root@osa-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap5f03424d-1c, link-type EN10MB (Ethernet), capture size 262144 bytes
02:20:30.190675 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 74: 10.10.60.2.54796 > 10.10.60.9.80: Flags [S], seq 213484442, win 29200, options [mss 1460,sackOK,TS val 140883559 ecr 0,nop,wscale 7], length 0
02:20:30.191926 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 74: 10.10.60.9.80 > 10.10.60.2.54796: Flags [S.], seq 90006557, ack 213484443, win 14480, options [mss 1460,sackOK,TS val 95716 ecr 140883559,
02:20:30.192837 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 66: 10.10.60.2.54796 > 10.10.60.9.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 140883560 ecr 95716], length 0
02:20:30.192986 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 140: 10.10.60.2.54796 > 10.10.60.9.80: Flags [P.], seq 1:75, ack 1, win 229, options [nop,nop,TS val 140883560 ecr 95716], length 74: HTTP: GET / HTTP/1.1
02:20:30.195806 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 79: 10.10.60.9.80 > 10.10.60.2.54796: Flags [P.], seq 1:14, ack 1, win 905, options [nop,nop,TS val 95717 ecr 140883560], length 13: HTTP
02:20:30.196207 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 66: 10.10.60.2.54796 > 10.10.60.9.80: Flags [.], ack 14, win 229, options [nop,nop,TS val 140883561 ecr 95717], length 0
02:20:30.197481 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 66: 10.10.60.9.80 > 10.10.60.2.54796: Flags [.], ack 75, win 905, options [nop,nop,TS val 95717 ecr 140883560], length 0
^^^ On the server tap we see the bi-directional traffic
root@osa-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tapb8051da9-60, link-type EN10MB (Ethernet), capture size 262144 bytes
02:20:30.192165 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 74: 10.10.60.9.80 > 10.10.60.2.54796: Flags [S.], seq 90006557, ack 213484443, win 14480, options [mss 1460,sackOK,TS val 95716 ecr 140883559,
02:20:30.195827 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 79: 10.10.60.9.80 > 10.10.60.2.54796: Flags [P.], seq 1:14, ack 1, win 905, options [nop,nop,TS val 95717 ecr 140883560], length 13: HTTP
02:20:30.197500 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 66: 10.10.60.9.80 > 10.10.60.2.54796: Flags [.], ack 75, win 905, options [nop,nop,TS val 95717 ecr 140883560], length 0
^^^ On the bystander tap we see the flooded traffic
The FDB tables reflect the lack of CAM entry for the client on br-int bridge. I would expect to see the MAC address on the patch uplink:
root@osa-
root@osa-
2 850 fa:16:3e:e8:59:00 3
Sources[1] point to the fact that an 'output' action negates the MAC learning mechanism in OVS. Related Table 82 entries are below, and code is here[2]:
cookie=
cookie=
cookie=
cookie=
cookie=
cookie=
My testing shows that massaging the flow rules to remove the 'output' action and instead use a 'mod_vlan_vid' action (for the sake of getting it working) results in expected behavior:
cookie=
cookie=
cookie=
cookie=
cookie=
cookie=
The MAC of the client shows up now on br-int FDB:
root@osa-
1 4 fa:16:3e:e8:59:00 2
The test below shows that traffic is only seen on server tap and not bystander tap:
root@osa-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap5f03424d-1c, link-type EN10MB (Ethernet), capture size 262144 bytes
03:46:52.606940 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 74: 10.10.60.2.55808 > 10.10.60.9.80: Flags [S], seq 3645914146, win 29200, options [mss 1460,sackOK,TS val 142179163 ecr 0,nop,wscale 7], length 0
03:46:52.608880 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 74: 10.10.60.9.80 > 10.10.60.2.55808: Flags [S.], seq 3531519972, ack 3645914147, win 14480, options [mss 1460,sackOK,TS val 1391324 ecr 142179163,
03:46:52.610175 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 66: 10.10.60.2.55808 > 10.10.60.9.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 142179164 ecr 1391324], length 0
03:46:52.610273 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 140: 10.10.60.2.55808 > 10.10.60.9.80: Flags [P.], seq 1:75, ack 1, win 229, options [nop,nop,TS val 142179164 ecr 1391324], length 74: HTTP: GET / HTTP/1.1
03:46:52.613851 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 66: 10.10.60.9.80 > 10.10.60.2.55808: Flags [.], ack 75, win 905, options [nop,nop,TS val 1391325 ecr 142179164], length 0
03:46:52.614007 fa:16:3e:80:cb:0a > fa:16:3e:e8:59:00, ethertype IPv4 (0x0800), length 79: 10.10.60.9.80 > 10.10.60.2.55808: Flags [P.], seq 1:14, ack 75, win 905, options [nop,nop,TS val 1391325 ecr 142179164], length 13: HTTP
03:46:52.614314 fa:16:3e:e8:59:00 > fa:16:3e:80:cb:0a, ethertype IPv4 (0x0800), length 66: 10.10.60.2.55808 > 10.10.60.9.80: Flags [.], ack 14, win 229, options [nop,nop,TS val 142179165 ecr 1391325], length 0
root@osa-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tapb8051da9-60, link-type EN10MB (Ethernet), capture size 262144 bytes
>> Nothing! As expected.
I need to build out an environment using the master branch, but the code at [3] seems to indicate the 'output' action is still specified.
Thanks for taking a look and let me know if you have any questions.
[1] https:/
[2] https:/
[3] https:/
tags: | added: ovs-fw |
Changed in neutron: | |
assignee: | Yang Li (yang-li) → zhengyong (zhengy23) |
Changed in neutron: | |
assignee: | zhengyong (zhengy23) → Zhengdong Wu (zhengdong.wu) |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | Zhengdong Wu (zhengdong.wu) → yangjianfeng (yangjianfeng) |
Changed in neutron: | |
assignee: | LIU Yulong (dragon889) → Brian Haley (brian-haley) |
Changed in neutron: | |
milestone: | none → ussuri-2 |
Changed in neutron: | |
assignee: | nobody → LIU Yulong (dragon889) |
status: | New → In Progress |
tags: | added: neutron-proactive-backport-potential |
Changed in neutron: | |
status: | Fix Released → In Progress |
tags: | removed: timeout-abandon |
Changed in neutron: | |
status: | In Progress → Fix Committed |
status: | Fix Committed → Fix Released |
Just an update -- I was able to replicate this using neutron- openvswitch- agent 11.0.0.0rc2.dev368.
Server:
root@osa- master- ovs:/home/ ubuntu# tcpdump -i tap849fa737-65 -ne port 80 nop,wscale 4], length 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap849fa737-65, link-type EN10MB (Ethernet), capture size 262144 bytes
04:29:21.667498 fa:16:3e:32:40:3d > fa:16:3e:f3:2c:61, ethertype IPv4 (0x0800), length 74: 192.168.1.2.42444 > 192.168.1.3.80: Flags [S], seq 364460666, win 29200, options [mss 1460,sackOK,TS val 2559349669 ecr 0,nop,wscale 7], length 0
04:29:21.668573 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 74: 192.168.1.3.80 > 192.168.1.2.42444: Flags [S.], seq 4137876027, ack 364460667, win 14480, options [mss 1460,sackOK,TS val 4294931608 ecr 2559349669,
04:29:21.669023 fa:16:3e:32:40:3d > fa:16:3e:f3:2c:61, ethertype IPv4 (0x0800), length 66: 192.168.1.2.42444 > 192.168.1.3.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 2559349670 ecr 4294931608], length 0
04:29:21.669077 fa:16:3e:32:40:3d > fa:16:3e:f3:2c:61, ethertype IPv4 (0x0800), length 141: 192.168.1.2.42444 > 192.168.1.3.80: Flags [P.], seq 1:76, ack 1, win 229, options [nop,nop,TS val 2559349670 ecr 4294931608], length 75: HTTP: GET / HTTP/1.1
04:29:21.669979 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 66: 192.168.1.3.80 > 192.168.1.2.42444: Flags [.], ack 76, win 905, options [nop,nop,TS val 4294931609 ecr 2559349670], length 0
04:29:21.672658 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 90: 192.168.1.3.80 > 192.168.1.2.42444: Flags [P.], seq 1:25, ack 76, win 905, options [nop,nop,TS val 4294931610 ecr 2559349670], length 24: HTTP
04:29:21.672710 fa:16:3e:32:40:3d > fa:16:3e:f3:2c:61, ethertype IPv4 (0x0800), length 66: 192.168.1.2.42444 > 192.168.1.3.80: Flags [.], ack 25, win 229, options [nop,nop,TS val 2559349671 ecr 4294931610], length 0
04:29:55.543336 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 66: 192.168.1.3.80 > 192.168.1.2.42444: Flags [F.], seq 25, ack 76, win 905, options [nop,nop,TS val 4294940076 ecr 2559349671], length 0
04:29:55.579959 fa:16:3e:32:40:3d > fa:16:3e:f3:2c:61, ethertype IPv4 (0x0800), length 66: 192.168.1.2.42444 > 192.168.1.3.80: Flags [F.], seq 76, ack 26, win 229, options [nop,nop,TS val 2559358148 ecr 4294940076], length 0
04:29:55.580711 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 66: 192.168.1.3.80 > 192.168.1.2.42444: Flags [.], ack 77, win 905, options [nop,nop,TS val 4294940087 ecr 2559358148], length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
Bystander:
root@osa- master- ovs:/home/ ubuntu# tcpdump -i tap2bceb97c-0b -ne port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap2bceb97c-0b, link-type EN10MB (Ethernet), capture size 262144 bytes
04:29:21.668768 fa:16:3e:f3:2c:61 > fa:16:3e:32:40:3d, ethertype IPv4 (0x0800), length 74: 192.168.1.3.80 > 192.168.1.2.42444: Flags [S.], seq 4137876027, ack 364460667, win 14480, options [mss 1460,sackOK,TS val 4294931608 ecr 2559349669...