neutron

Bug #2051351
Comment #23

Comment 23 for bug 2051351

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-21: Fix merged to neutron (unmaintained/victoria)

#23

Reviewed: https://review.opendev.org/c/openstack/neutron/+/921948
Committed: https://opendev.org/openstack/neutron/commit/982eab5576b8deaded3a403c407f22500dbb6457
Submitter: "Zuul (22348)"
Branch: unmaintained/victoria

commit 982eab5576b8deaded3a403c407f22500dbb6457
Author: LIU Yulong <email address hidden>
Date: Thu Jan 27 17:01:43 2022 +0800

Add a default goto table=94 for openvswitch fw

    If enable explicitly_egress_direct=True and set port as
    no security group and port_security=False, the ingress
    flood will reappear. The pipleline is:
    Ingress
    table_0 -> table_60 -> NORMAL -> VM
    Egress
    table_0 -> ... -> table_94 -> output

    Because ingress final action is normal, the br-int will learn the
    source MAC, but egress final action is output. So VM's mac will
    never be learnt by the br-int. Then ingress flood comes again.

    This patch adds a default direct flow to table 94 during the
    openflow security group init and explicitly_egress_direct=True, then
    the pipleline will be:
    Ingress
    table_0 -> table_60 -> table_94 -> output VM
    Egress
    table_0 -> ... -> table_94 -> output

And this patch adds the flows coming from patch port which will
match local vlan then go to table 94 do the same direct actions.

Above flood issue will be addressed by these flows.

    Closes-Bug: #2051351
    Change-Id: Ia61784174ee610b338f26660b2954330abc131a1
    (cherry picked from commit d6f56c5f96c42e1682f3d1723a65253429778c20)
    (cherry picked from commit f94f8b63842099904ff88906e8221a366a809f99)
    (cherry picked from commit fc7fa9cf308766cdbf29b8cf4d3aaad867738dc0)
        Conflict with 02b12b09175 in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 1045985c76dbea8851e6ced72d09a0f9bc58a59d)
        Conflict with 5b64ac90133 in neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
    (cherry picked from commit c32eb5669a542470bf659f79697517f5682ec19e)
    (cherry picked from commit 7992ca9bec5c7194bc390c1bc4a4bb3793eb607a)
        Conflict with 053a9d24eca in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 01e4a647eee7ccd7c4ea85fe5b1b8ec295e90c9e)
        Conflict with 56e8498a4da in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 3e2e1819ddeaa87b82c4c686f4f3bf9f83e8697f)
        Conflict with 4f249b8579a in doc/source/contributor/internals/openvswitch_firewall.rst avoided by cherry-picking 4f249b8579a first

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/921948
Committed: https://opendev.org/openstack/neutron/commit/982eab5576b8deaded3a403c407f22500dbb6457
Submitter: "Zuul (22348)"
Branch:    unmaintained/victoria

commit 982eab5576b8deaded3a403c407f22500dbb6457
Author: LIU Yulong <i@liuyulong.me>
Date:   Thu Jan 27 17:01:43 2022 +0800

Add a default goto table=94 for openvswitch fw
    
    If enable explicitly_egress_direct=True and set port as
    no security group and port_security=False, the ingress
    flood will reappear. The pipleline is:
    Ingress
    table_0 -> table_60 -> NORMAL -> VM
    Egress
    table_0 -> ... -> table_94 -> output
    
    Because ingress final action is normal, the br-int will learn the
    source MAC, but egress final action is output. So VM's mac will
    never be learnt by the br-int. Then ingress flood comes again.
    
    This patch adds a default direct flow to table 94 during the
    openflow security group init and explicitly_egress_direct=True, then
    the pipleline will be:
    Ingress
    table_0 -> table_60 -> table_94 -> output VM
    Egress
    table_0 -> ... -> table_94 -> output
    
    And this patch adds the flows coming from patch port which will
    match local vlan then go to table 94 do the same direct actions.
    
    Above flood issue will be addressed by these flows.
    
    Closes-Bug: #2051351
    Change-Id: Ia61784174ee610b338f26660b2954330abc131a1
    (cherry picked from commit d6f56c5f96c42e1682f3d1723a65253429778c20)
    (cherry picked from commit f94f8b63842099904ff88906e8221a366a809f99)
    (cherry picked from commit fc7fa9cf308766cdbf29b8cf4d3aaad867738dc0)
        Conflict with 02b12b09175 in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 1045985c76dbea8851e6ced72d09a0f9bc58a59d)
        Conflict with 5b64ac90133 in neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
    (cherry picked from commit c32eb5669a542470bf659f79697517f5682ec19e)
    (cherry picked from commit 7992ca9bec5c7194bc390c1bc4a4bb3793eb607a)
        Conflict with 053a9d24eca in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 01e4a647eee7ccd7c4ea85fe5b1b8ec295e90c9e)
        Conflict with 56e8498a4da in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
    (cherry picked from commit 3e2e1819ddeaa87b82c4c686f4f3bf9f83e8697f)
        Conflict with 4f249b8579a in doc/source/contributor/internals/openvswitch_firewall.rst avoided by cherry-picking 4f249b8579a first