neutron

[OVS] Custom ethertype traffic is not coming into the VM

Bug #2009221 reported by Rodolfo Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Rodolfo Alonso

Bug Description

Related bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2171906.

This bug is related to https://bugs.launchpad.net/neutron/+bug/1832758.

In [1], the ability to allow custom ethertypes was added to the OVS native firewall. This patch was adding a bypass for traffic with custom ethertypes and a MAC address matching one of the local ports in this OVS (in the table 60 the traffic should match the VLAN tag and the destination MAC).

In [2], this piece of code was moved to the EGRESS section to allow the traffic sent by a port with one of the allowed custom ethertypes to bypass the firewall and go directly to the accepted egress table, where the traffic is sent explicitly to the corresponding physical bridge or tunnel bridge, depending on the network type.

None of these patches can live without the other. Now we are missing the code of the first one [1], removed by the second one [2]: we need an explicit bypass in the INGRESS section to allow this traffic and sent it directly to the corresponding port.

[1]https://review.opendev.org/c/openstack/neutron/+/668224
[2]https://review.opendev.org/c/openstack/neutron/+/678021

See original description
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
importance: Undecided → Medium
Lajos Katona (lajos-katona)
tags: added: ovs-fw
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876563

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/876563
Committed: https://opendev.org/openstack/neutron/commit/008277b8c12d99438951a308b278203fa7a7c3ef
Submitter: "Zuul (22348)"
Branch: master

commit 008277b8c12d99438951a308b278203fa7a7c3ef
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/877585

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/877586

Rodolfo Alonso (rodolfo-alonso-hernandez)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/877605

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/877607

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/877608

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/877585
Committed: https://opendev.org/openstack/neutron/commit/17faa288cedcdb7a365be3105f281cfd957a1464
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 17faa288cedcdb7a365be3105f281cfd957a1464
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
    (cherry picked from commit 008277b8c12d99438951a308b278203fa7a7c3ef)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc2

This issue was fixed in the openstack/neutron 22.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/877586
Committed: https://opendev.org/openstack/neutron/commit/138a47bfd62252ddea8ff7ccdedff265e99cfb0e
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 138a47bfd62252ddea8ff7ccdedff265e99cfb0e
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
    (cherry picked from commit 008277b8c12d99438951a308b278203fa7a7c3ef)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/877608
Committed: https://opendev.org/openstack/neutron/commit/8c7f3b61f75368f05369785f7931b5134a7e93fa
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 8c7f3b61f75368f05369785f7931b5134a7e93fa
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Conflicts:
           doc/source/admin/config-ovsfwdriver.rst
           neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
    (cherry picked from commit 008277b8c12d99438951a308b278203fa7a7c3ef)
    (cherry picked from commit 5026d805fe01aaf237081c606f1d1bf87bbff6d4)

tags: added: in-stable-yoga
tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/877605
Committed: https://opendev.org/openstack/neutron/commit/1e244c57c51f02ac9e10e91740da67fb88bdd9ec
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 1e244c57c51f02ac9e10e91740da67fb88bdd9ec
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Conflicts:
           doc/source/admin/config-ovsfwdriver.rst
           neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
    (cherry picked from commit 008277b8c12d99438951a308b278203fa7a7c3ef)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/877607
Committed: https://opendev.org/openstack/neutron/commit/f5b6c2afd8c4d4c47d7f0efd91a23d3cc550aabd
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f5b6c2afd8c4d4c47d7f0efd91a23d3cc550aabd
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table

    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.

    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.

    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/

    Conflicts:
           doc/source/admin/config-ovsfwdriver.rst
           neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c
    (cherry picked from commit 008277b8c12d99438951a308b278203fa7a7c3ef)
    (cherry picked from commit 5026d805fe01aaf237081c606f1d1bf87bbff6d4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.7.0

This issue was fixed in the openstack/neutron 19.7.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.0.0.0b2

This issue was fixed in the openstack/neutron 23.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.1

This issue was fixed in the openstack/neutron 21.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.3.1

This issue was fixed in the openstack/neutron 20.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron wallaby-eom

This issue was fixed in the openstack/neutron wallaby-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.