neutron

[L2][OVS] add accepted egress fdb flows

Bug #1841622 reported by LIU Yulong on 2019-08-27

This bug report is a duplicate of: Bug #1732067: openvswitch firewall flows cause flooding on integration bridge. Edit Remove

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Medium	LIU Yulong

Bug Description

Bug https://bugs.launchpad.net/neutron/+bug/1732067 has a bad impact on VM traffic. And all the fix has some potenial risk of data-plane down. So we added a new bug for the new solution:
It will add a flow table something like a switch FDB table. The accepted egress flows will be take care in that.

table=94 will be used to do accepted egress traffic classification when enable openflow firewall:
1. the "dest mac" is handled this ovs-agent, direct "output" to that port
2. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
3. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
4. other traffic still match the original NORMAL flow

A new table=61 will be used to do egress traffic classification when not enable openflow firewall:
1. egress packets will be send to table 61, match rule will be of-port which be handled by ovs-agent "in_port=<some_local_of_port>"
2. the "dest mac" is handled this ovs-agent, direct "output" to that port
3. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
4. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
5. other traffic still match the original NORMAL flow

See original description

Tags:

LIU Yulong (dragon889) on 2019-08-27

description:	updated
description:	updated

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2019-08-28:

Liu, shall I assign this one to you, as if I understand well you take care of this together with https://bugs.launchpad.net/neutron/+bug/1732067 ?

tags:

added: ovs-fw

LIU Yulong (dragon889) on 2019-08-28

Changed in neutron:
assignee:	nobody → LIU Yulong (dragon889)

Lajos Katona (lajos-katona) on 2019-09-02

Changed in neutron:
importance:	Undecided → Medium

Slawek Kaplonski (slaweq) on 2019-09-02

tags:

added: ovs

OpenStack Infra (hudson-openstack) on 2019-12-03

Changed in neutron:
status:	New → In Progress

Revision history for this message

LIU Yulong (dragon889) wrote on 2019-12-03:

Patch submitted:
https://review.opendev.org/#/c/666991/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-26: Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/666991
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=efa8dd08957b5b6b1a05f0ed412ff00462a9f216
Submitter: Zuul
Branch: master

commit efa8dd08957b5b6b1a05f0ed412ff00462a9f216
Author: LIU Yulong <email address hidden>
Date: Mon Jun 24 00:08:12 2019 +0800

Add accepted egress direct flow

    Do not flood the packets to bridge, since we have the
    bridge port list, we can add a simple direct flow to
    the right port only.

    Closes-Bug: #1732067
    Related-Bug: #1841622
    Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-28: Related fix proposed to neutron (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/704506

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-04: Related fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/704506
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6c1cf886671df66f6790045268b1394a97caabcc
Submitter: Zuul
Branch: stable/train

commit 6c1cf886671df66f6790045268b1394a97caabcc
Author: LIU Yulong <email address hidden>
Date: Mon Jun 24 00:08:12 2019 +0800

Add accepted egress direct flow

    Do not flood the packets to bridge, since we have the
    bridge port list, we can add a simple direct flow to
    the right port only.

    Closes-Bug: #1732067
    Related-Bug: #1841622
    Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4
    (cherry picked from commit efa8dd08957b5b6b1a05f0ed412ff00462a9f216)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-24: Related fix proposed to neutron (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/709410

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-27: Related fix proposed to neutron (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/710183

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-27: Related fix proposed to neutron (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/710184

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-09: Related fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/709410
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0255239ed5affd65568c33ba07cd72fb0b594449
Submitter: Zuul
Branch: stable/queens

commit 0255239ed5affd65568c33ba07cd72fb0b594449
Author: LIU Yulong <email address hidden>
Date: Mon Jun 24 00:08:12 2019 +0800

Add accepted egress direct flow

    Do not flood the packets to bridge, since we have the
    bridge port list, we can add a simple direct flow to
    the right port only.

    Conflicts:
     neutron/agent/linux/openvswitch_firewall/firewall.py
     neutron/conf/plugins/ml2/drivers/ovs_conf.py
     neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
     neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py

    Closes-Bug: #1732067
    Related-Bug: #1841622
    Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4
    (cherry picked from commit efa8dd08957b5b6b1a05f0ed412ff00462a9f216)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-11: Related fix merged to neutron (stable/stein)

#10

Reviewed: https://review.opendev.org/710184
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5578c7073fd454f2df43e0d728ba2a64de87fccf
Submitter: Zuul
Branch: stable/stein

commit 5578c7073fd454f2df43e0d728ba2a64de87fccf
Author: LIU Yulong <email address hidden>
Date: Mon Jun 24 00:08:12 2019 +0800

Add accepted egress direct flow

    Do not flood the packets to bridge, since we have the
    bridge port list, we can add a simple direct flow to
    the right port only.

Conflicts:
neutron/conf/plugins/ml2/drivers/ovs_conf.py

    Closes-Bug: #1732067
    Related-Bug: #1841622
    Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4
    (cherry picked from commit efa8dd08957b5b6b1a05f0ed412ff00462a9f216)

tags:

added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-30: Related fix merged to neutron (stable/rocky)

#11

Reviewed: https://review.opendev.org/710183
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fdc8987f791b24119ef22c434f8877df13bcdded
Submitter: Zuul
Branch: stable/rocky

commit fdc8987f791b24119ef22c434f8877df13bcdded
Author: LIU Yulong <email address hidden>
Date: Mon Jun 24 00:08:12 2019 +0800

Add accepted egress direct flow

    Do not flood the packets to bridge, since we have the
    bridge port list, we can add a simple direct flow to
    the right port only.

    Conflicts:
        neutron/agent/linux/openvswitch_firewall/firewall.py
        neutron/conf/plugins/ml2/drivers/ovs_conf.py

    Closes-Bug: #1732067
    Related-Bug: #1841622
    Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4
    (cherry picked from commit efa8dd08957b5b6b1a05f0ed412ff00462a9f216)