neutron

[ml2][ovs] port flows Unexpectedly deleted by arp_spoofing_protection

Bug #2000046 reported by LIU Yulong
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Unassigned

Bug Description

Port arp_spoofing_protection will install flows like this:

table=0, priority=9,in_port=2 actions=goto_table:25
table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60

For network ports or port_security_enabled = False, those flows
will be delete by setup_arp_spoofing_protection in _bind_devices [1][2][3][4].

Besides, the ovs_agent extension handle_port will be run before
these actions [5]. So network or no security ports, if any flows
added by agent extesnion in table=0 with "in_port=2" will be delete
unexpectedly. Which also means any flows added before this call of
"uninstall_flows(table=0, in_port=2)" will be deleted.

[1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py#L385
[2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1300
[3] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1307
[4] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1241
[5] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L2038

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/868058

Changed in neutron:
status: New → In Progress
LIU Yulong (dragon889)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/868058
Committed: https://opendev.org/openstack/neutron/commit/dad23fdcdb32e3b061642e3cafad6566fadc11c3
Submitter: "Zuul (22348)"
Branch: master

commit dad23fdcdb32e3b061642e3cafad6566fadc11c3
Author: LIU Yulong <email address hidden>
Date: Mon Dec 19 14:26:47 2022 +0800

    Strictly delete arp_spoofing_protection flows

    Port arp_spoofing_protection will install flows like this:
    table=0, priority=9,in_port=2 actions=goto_table:25
    table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60

    For network ports or port_security_enabled = False, those flows
    will be delete by setup_arp_spoofing_protection in _bind_devices.

    But the delete actions are a bit rough because it will delete any
    flows with "table=0 in_port=2" and "table=25 in_port=2".

    Besides, the ovs_agent extension handle_port will be run before
    these actions [5]. So network or no security ports, if any flows
    added by agent extesnion in table=0 with "in_port=2" will be delete
    unexpectedly. Which also means any flows added before this call of
    "uninstall_flows(table=0, in_port=2)" will be deleted.

    This patch changes the uninstall flows to strict mode. Let it
    delete the arp_spoofing_protection related flows only by verifying
    the priority.

    Closes-Bug: #2000046
    Change-Id: Ifdd47b2ce8610e4b4b527fc3279e0bd7a8b21a1d

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.