Make sure "dead vlan" ports cannot transmit packets
https://review.opendev.org/c/openstack/neutron/+/820897 added
a dead vlan flow that pushes the dead vlan tag onto frames
belonging to dead ports before these ports are reassigned to
their proper vlans. However add_flow and delete_flows race and
delete_flows may run before add_flow, in this case deleting 0 flows
but not giving us a chance to detect this: neither does it throw
an error nor does it return the number of deleted flows.
This leads to port staying inaccessible forever and hence
breaks corresponding DHCP or router.
Current patch suggests another approach to make sure no packets are
leaked from newly plugged ports: setting their "vlan_mode" attribute
to "trunk" and "trunks"=[4095] (along with assigning dead VLAN tag).
With this OVS normal pipeline will allow only packets tagged with 4095
from such ports [1], which normally not happens, but even if it does -
default rule in br-int will drop them anyway.
Thus untagged packets from such ports will also be dropped until
ovs agent sets proper VLAN tag and clears vlan_mode to default
("access").
This approach avoids the race between dhcp/l3 and ovs agents because
dhcp/l3 agents no longer modify flow table.
This partially reverts commit 7aae31c9f9ed938760ca0be3c461826b598c7004
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/828231 /opendev. org/openstack/ neutron/ commit/ 9d5cea0e2bb85b3 b6ea27eb71279c5 7c419b0102
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/wallaby
commit 9d5cea0e2bb85b3 b6ea27eb71279c5 7c419b0102
Author: Oleg Bondarev <email address hidden>
Date: Tue Feb 1 18:56:02 2022 +0300
Make sure "dead vlan" ports cannot transmit packets
https:/ /review. opendev. org/c/openstack /neutron/ +/820897 added
a dead vlan flow that pushes the dead vlan tag onto frames
belonging to dead ports before these ports are reassigned to
their proper vlans. However add_flow and delete_flows race and
delete_flows may run before add_flow, in this case deleting 0 flows
but not giving us a chance to detect this: neither does it throw
an error nor does it return the number of deleted flows.
This leads to port staying inaccessible forever and hence
breaks corresponding DHCP or router.
Current patch suggests another approach to make sure no packets are
leaked from newly plugged ports: setting their "vlan_mode" attribute
to "trunk" and "trunks"=[4095] (along with assigning dead VLAN tag).
With this OVS normal pipeline will allow only packets tagged with 4095
from such ports [1], which normally not happens, but even if it does -
default rule in br-int will drop them anyway.
Thus untagged packets from such ports will also be dropped until
ovs agent sets proper VLAN tag and clears vlan_mode to default
("access").
This approach avoids the race between dhcp/l3 and ovs agents because
dhcp/l3 agents no longer modify flow table.
This partially reverts commit 7aae31c9f9ed938 760ca0be3c46182 6b598c7004
[1] https:/ /docs.openvswit ch.org/ en/latest/ ref/ovs- actions. 7/?highlight= ovs-actions# the-ovs- normal- pipeline
Closes-Bug: #1930414 56a09ddb002e7da e8783ba37a4 9df4a22607a2da0 3f193f083c)
Closes-Bug: #1959564
Change-Id: I0391dd24224f86
(cherry picked from commit 0ddca284542aed8