| 2023-03-16 09:34:20 |
Rodolfo Alonso |
description |
This bug is related to https://bugs.launchpad.net/neutron/+bug/1832758.
In [1], the ability to allow custom ethertypes was added to the OVS native firewall. This patch was adding a bypass for traffic with custom ethertypes and a MAC address matching one of the local ports in this OVS (in the table 60 the traffic should match the VLAN tag and the destination MAC).
In [2], this piece of code was moved to the EGRESS section to allow the traffic sent by a port with one of the allowed custom ethertypes to bypass the firewall and go directly to the accepted egress table, where the traffic is sent explicitly to the corresponding physical bridge or tunnel bridge, depending on the network type.
None of these patches can live without the other. Now we are missing the code of the first one [1], removed by the second one [2]: we need an explicit bypass in the INGRESS section to allow this traffic and sent it directly to the corresponding port.
[1]https://review.opendev.org/c/openstack/neutron/+/668224
[2]https://review.opendev.org/c/openstack/neutron/+/678021 |
Related bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2171906.
This bug is related to https://bugs.launchpad.net/neutron/+bug/1832758.
In [1], the ability to allow custom ethertypes was added to the OVS native firewall. This patch was adding a bypass for traffic with custom ethertypes and a MAC address matching one of the local ports in this OVS (in the table 60 the traffic should match the VLAN tag and the destination MAC).
In [2], this piece of code was moved to the EGRESS section to allow the traffic sent by a port with one of the allowed custom ethertypes to bypass the firewall and go directly to the accepted egress table, where the traffic is sent explicitly to the corresponding physical bridge or tunnel bridge, depending on the network type.
None of these patches can live without the other. Now we are missing the code of the first one [1], removed by the second one [2]: we need an explicit bypass in the INGRESS section to allow this traffic and sent it directly to the corresponding port.
[1]https://review.opendev.org/c/openstack/neutron/+/668224
[2]https://review.opendev.org/c/openstack/neutron/+/678021 |
|
