vmware-nsx

NSXv3: Allowed address pairs is not functional with new mac_address

Bug #1631539 reported by Tong Liu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vmware-nsx
Fix Released
Undecided
Tong Liu

Bug Description

Problem:
If we add allowed address pairs with ip_address only, then it is working as expected. However, if we add allowed address pairs with both ip_address and mac_address, packet with new mac_address is dropped on this neutron port.

Tong Liu (liutong)
Changed in vmware-nsx:
assignee: nobody → Tong Liu (liutong)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to vmware-nsx (master)

Fix proposed to branch: master
Review: https://review.openstack.org/383952

Changed in vmware-nsx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to vmware-nsx (master)

Reviewed: https://review.openstack.org/383952
Committed: https://git.openstack.org/cgit/openstack/vmware-nsx/commit/?id=c12d8f88cb59b9048e642ee623fed0fdc310ab08
Submitter: Jenkins
Branch: master

commit c12d8f88cb59b9048e642ee623fed0fdc310ab08
Author: Tong Liu <email address hidden>
Date: Fri Oct 7 22:01:24 2016 +0000

    NSXv3: Fix allowed address pairs switching profile

    For allowed address pairs to be functional on NSXv3 plugin, we
    need to enforce both Spoof Guard and MAC Learning switching
    profile. MAC Learning is used to learning the mac address and
    spoof guard is used for switch security to ensure only added
    allowed address pairs to be allowed on this port.

    Moreover, during fix bug #1631540, we removed the parameter
    "mac_change_allowed". After further discussion with NSX team,
    it doesn't have negative effect to add it back. The value it can
    bring is to support guest VM on ESX host to change MAC address (
    the mac_address still needs to be in allowed address pairs) on the
    interface.

    Change-Id: I2c725df74835165587170f6136c06494d1bfcf7b
    Closes-Bug: #1631539

Changed in vmware-nsx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to vmware-nsx (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/386787

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to vmware-nsx (stable/newton)

Reviewed: https://review.openstack.org/386787
Committed: https://git.openstack.org/cgit/openstack/vmware-nsx/commit/?id=4ccfdcc75ed8e653e1ca39e17931491e610825aa
Submitter: Jenkins
Branch: stable/newton

commit 4ccfdcc75ed8e653e1ca39e17931491e610825aa
Author: Tong Liu <email address hidden>
Date: Fri Oct 7 22:01:24 2016 +0000

    NSXv3: Fix allowed address pairs switching profile

    For allowed address pairs to be functional on NSXv3 plugin, we
    need to enforce both Spoof Guard and MAC Learning switching
    profile. MAC Learning is used to learning the mac address and
    spoof guard is used for switch security to ensure only added
    allowed address pairs to be allowed on this port.

    Moreover, during fix bug #1631540, we removed the parameter
    "mac_change_allowed". After further discussion with NSX team,
    it doesn't have negative effect to add it back. The value it can
    bring is to support guest VM on ESX host to change MAC address (
    the mac_address still needs to be in allowed address pairs) on the
    interface.

    Change-Id: I2c725df74835165587170f6136c06494d1bfcf7b
    Closes-Bug: #1631539
    (cherry picked from commit c12d8f88cb59b9048e642ee623fed0fdc310ab08)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to vmware-nsx (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/386953

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to vmware-nsx (stable/mitaka)

Reviewed: https://review.openstack.org/386953
Committed: https://git.openstack.org/cgit/openstack/vmware-nsx/commit/?id=ad74f9be728aa663b221d0276107d54d4c1f2599
Submitter: Jenkins
Branch: stable/mitaka

commit ad74f9be728aa663b221d0276107d54d4c1f2599
Author: Tong Liu <email address hidden>
Date: Fri Oct 7 22:01:24 2016 +0000

    NSXv3: Fix allowed address pairs switching profile

    For allowed address pairs to be functional on NSXv3 plugin, we
    need to enforce both Spoof Guard and MAC Learning switching
    profile. MAC Learning is used to learning the mac address and
    spoof guard is used for switch security to ensure only added
    allowed address pairs to be allowed on this port.

    Moreover, during fix bug #1631540, we removed the parameter
    "mac_change_allowed". After further discussion with NSX team,
    it doesn't have negative effect to add it back. The value it can
    bring is to support guest VM on ESX host to change MAC address (
    the mac_address still needs to be in allowed address pairs) on the
    interface.

    Change-Id: I2c725df74835165587170f6136c06494d1bfcf7b
    Closes-Bug: #1631539
    (cherry picked from commit c12d8f88cb59b9048e642ee623fed0fdc310ab08)

tags: added: in-stable-mitaka
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.