commit 982eab5576b8deaded3a403c407f22500dbb6457
Author: LIU Yulong <email address hidden>
Date: Thu Jan 27 17:01:43 2022 +0800
Add a default goto table=94 for openvswitch fw
If enable explicitly_egress_direct=True and set port as
no security group and port_security=False, the ingress
flood will reappear. The pipleline is:
Ingress
table_0 -> table_60 -> NORMAL -> VM
Egress
table_0 -> ... -> table_94 -> output
Because ingress final action is normal, the br-int will learn the
source MAC, but egress final action is output. So VM's mac will
never be learnt by the br-int. Then ingress flood comes again.
This patch adds a default direct flow to table 94 during the
openflow security group init and explicitly_egress_direct=True, then
the pipleline will be:
Ingress
table_0 -> table_60 -> table_94 -> output VM
Egress
table_0 -> ... -> table_94 -> output
And this patch adds the flows coming from patch port which will
match local vlan then go to table 94 do the same direct actions.
Above flood issue will be addressed by these flows.
Closes-Bug: #2051351
Change-Id: Ia61784174ee610b338f26660b2954330abc131a1
(cherry picked from commit d6f56c5f96c42e1682f3d1723a65253429778c20)
(cherry picked from commit f94f8b63842099904ff88906e8221a366a809f99)
(cherry picked from commit fc7fa9cf308766cdbf29b8cf4d3aaad867738dc0)
Conflict with 02b12b09175 in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
(cherry picked from commit 1045985c76dbea8851e6ced72d09a0f9bc58a59d)
Conflict with 5b64ac90133 in neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
(cherry picked from commit c32eb5669a542470bf659f79697517f5682ec19e)
(cherry picked from commit 7992ca9bec5c7194bc390c1bc4a4bb3793eb607a)
Conflict with 053a9d24eca in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
(cherry picked from commit 01e4a647eee7ccd7c4ea85fe5b1b8ec295e90c9e)
Conflict with 56e8498a4da in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
(cherry picked from commit 3e2e1819ddeaa87b82c4c686f4f3bf9f83e8697f)
Conflict with 4f249b8579a in doc/source/contributor/internals/openvswitch_firewall.rst avoided by cherry-picking 4f249b8579a first
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/921948 /opendev. org/openstack/ neutron/ commit/ 982eab5576b8dea ded3a403c407f22 500dbb6457 victoria
Committed: https:/
Submitter: "Zuul (22348)"
Branch: unmaintained/
commit 982eab5576b8dea ded3a403c407f22 500dbb6457
Author: LIU Yulong <email address hidden>
Date: Thu Jan 27 17:01:43 2022 +0800
Add a default goto table=94 for openvswitch fw
If enable explicitly_ egress_ direct= True and set port as False, the ingress
no security group and port_security=
flood will reappear. The pipleline is:
Ingress
table_0 -> table_60 -> NORMAL -> VM
Egress
table_0 -> ... -> table_94 -> output
Because ingress final action is normal, the br-int will learn the
source MAC, but egress final action is output. So VM's mac will
never be learnt by the br-int. Then ingress flood comes again.
This patch adds a default direct flow to table 94 during the egress_ direct= True, then
openflow security group init and explicitly_
the pipleline will be:
Ingress
table_0 -> table_60 -> table_94 -> output VM
Egress
table_0 -> ... -> table_94 -> output
And this patch adds the flows coming from patch port which will
match local vlan then go to table 94 do the same direct actions.
Above flood issue will be addressed by these flows.
Closes-Bug: #2051351 b338f26660b2954 330abc131a1 682f3d1723a6525 3429778c20) 04ff88906e8221a 366a809f99) dbf29b8cf4d3aaa d867738dc0) plugins/ ml2/drivers/ openvswitch/ agent/openflow/ native/ br_int. py 851e6ced72d09a0 f9bc58a59d) tests/unit/ plugins/ ml2/drivers/ openvswitch/ agent/openflow/ native/ test_br_ int.py 0bf659f79697517 f5682ec19e) 4bc390c1bc4a4bb 3793eb607a) plugins/ ml2/drivers/ openvswitch/ agent/openflow/ native/ br_int. py 7c4ea85fe5b1b8e c295e90c9e) plugins/ ml2/drivers/ openvswitch/ agent/openflow/ native/ br_int. py b82c4c686f4f3bf 9f83e8697f) contributor/ internals/ openvswitch_ firewall. rst avoided by cherry-picking 4f249b8579a first
Change-Id: Ia61784174ee610
(cherry picked from commit d6f56c5f96c42e1
(cherry picked from commit f94f8b638420999
(cherry picked from commit fc7fa9cf308766c
Conflict with 02b12b09175 in neutron/
(cherry picked from commit 1045985c76dbea8
Conflict with 5b64ac90133 in neutron/
(cherry picked from commit c32eb5669a54247
(cherry picked from commit 7992ca9bec5c719
Conflict with 053a9d24eca in neutron/
(cherry picked from commit 01e4a647eee7ccd
Conflict with 56e8498a4da in neutron/
(cherry picked from commit 3e2e1819ddeaa87
Conflict with 4f249b8579a in doc/source/