Should forward only first accepted packet to table 91 and 92
Regarding to performance perspective, we should only log first
accepted packet. Therefore we need to forward only first accepted
packet of each connection session to table 91 and table 92.
This is also effort to sync up with ovsfw in neutron-side [1].
[1] https://review.openstack.org/#/c/591547/
Related-Bug: #1782576
Change-Id: Iac01088bf2c76e3f28000389596f5a1a85478d9a
(cherry picked from commit 93c71ce98a
)
This commit is contained in:
parent
5863c57e7c
commit
1b1c91c19c
|
@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
dl_type=constants.ETHERTYPE_IPV6,
|
dl_type=constants.ETHERTYPE_IPV6,
|
||||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||||
icmp_type=icmp_type,
|
icmp_type=icmp_type,
|
||||||
actions='resubmit(,%d)' % (
|
actions='normal')
|
||||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
|
||||||
|
|
||||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||||
# which differs in constants (table numbers) and exception classes
|
# which differs in constants (table numbers) and exception classes
|
||||||
|
@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||||
priority=80,
|
priority=80,
|
||||||
reg_port=ovs_port.ofport,
|
reg_port=ovs_port.ofport,
|
||||||
actions='resubmit(,%d)' % (
|
actions='normal',
|
||||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||||
|
@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
dl_src=mac_addr,
|
dl_src=mac_addr,
|
||||||
dl_type=constants.ETHERTYPE_ARP,
|
dl_type=constants.ETHERTYPE_ARP,
|
||||||
arp_spa=ip_addr,
|
arp_spa=ip_addr,
|
||||||
actions='resubmit(,%d)' % (
|
actions='normal'
|
||||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
)
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
|
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
|
||||||
|
@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||||
priority=80,
|
priority=80,
|
||||||
reg_port=port.ofport,
|
reg_port=port.ofport,
|
||||||
actions='resubmit(,%d)' % (
|
actions='normal'
|
||||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||||
|
@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||||
reg_port=port.ofport,
|
reg_port=port.ofport,
|
||||||
ct_zone=port.vlan_tag,
|
ct_zone=port.vlan_tag,
|
||||||
actions='resubmit(,%d)' % (
|
actions='normal'
|
||||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
)
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
||||||
|
@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
dl_type=constants.ETHERTYPE_IPV6,
|
dl_type=constants.ETHERTYPE_IPV6,
|
||||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||||
icmp_type=icmp_type,
|
icmp_type=icmp_type,
|
||||||
actions='output:{:d},resubmit(,{:d})'.format(
|
actions='output:{:d}'.format(port.ofport)
|
||||||
port.ofport,
|
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||||
|
@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
priority=100,
|
priority=100,
|
||||||
dl_type=constants.ETHERTYPE_ARP,
|
dl_type=constants.ETHERTYPE_ARP,
|
||||||
reg_port=port.ofport,
|
reg_port=port.ofport,
|
||||||
actions='output:{:d},resubmit(,{:d})'.format(
|
actions='output:{:d}'.format(port.ofport)
|
||||||
port.ofport,
|
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
|
||||||
)
|
)
|
||||||
self._initialize_ingress_ipv6_icmp(port)
|
self._initialize_ingress_ipv6_icmp(port)
|
||||||
|
|
||||||
|
@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
nw_proto=lib_const.PROTO_NUM_UDP,
|
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||||
tp_src=src_port,
|
tp_src=src_port,
|
||||||
tp_dst=dst_port,
|
tp_dst=dst_port,
|
||||||
actions='output:{:d},resubmit(,{:d})'.format(
|
actions='output:{:d}'.format(port.ofport)
|
||||||
port.ofport,
|
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# Track untracked
|
# Track untracked
|
||||||
|
@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
||||||
ct_state=state,
|
ct_state=state,
|
||||||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||||
ct_zone=port.vlan_tag,
|
ct_zone=port.vlan_tag,
|
||||||
actions='output:{:d},resubmit(,{:d})'.format(
|
actions='output:{:d}'.format(port.ofport)
|
||||||
port.ofport,
|
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
|
||||||
)
|
)
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||||
|
|
|
@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port):
|
||||||
"""Initialize common flow fields."""
|
"""Initialize common flow fields."""
|
||||||
if direction == n_consts.INGRESS_DIRECTION:
|
if direction == n_consts.INGRESS_DIRECTION:
|
||||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
|
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
|
||||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||||
port.ofport,
|
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
|
||||||
elif direction == n_consts.EGRESS_DIRECTION:
|
elif direction == n_consts.EGRESS_DIRECTION:
|
||||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
|
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
|
||||||
# Traffic can be both ingress and egress, check that no ingress rules
|
# Traffic can be both ingress and egress, check that no ingress rules
|
||||||
|
@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False):
|
||||||
resubmit_to_sg(flow)
|
resubmit_to_sg(flow)
|
||||||
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
|
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
|
||||||
flow['actions'] = (
|
flow['actions'] = (
|
||||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
|
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
|
||||||
fwaas_ovs_consts.REG_NET, flow['actions']))
|
'resubmit(,{:d})'.format(
|
||||||
|
fwaas_ovs_consts.REG_NET, flow['actions'],
|
||||||
|
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||||
|
)
|
||||||
result.append(flow)
|
result.append(flow)
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
|
@ -16,8 +16,6 @@ import mock
|
||||||
from neutron_lib import constants
|
from neutron_lib import constants
|
||||||
|
|
||||||
from neutron.common import constants as n_const
|
from neutron.common import constants as n_const
|
||||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
|
||||||
as ovs_consts
|
|
||||||
from neutron.tests import base
|
from neutron.tests import base
|
||||||
|
|
||||||
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
|
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
|
||||||
|
@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||||
expected_flows = [{
|
expected_flows = [{
|
||||||
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||||
'actions': 'output:1,resubmit(,%d)' % (
|
'actions': 'output:1',
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
'nw_proto': constants.PROTO_NUM_TCP
|
||||||
'nw_proto': constants.PROTO_NUM_TCP,
|
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
constants.INGRESS_DIRECTION, rule, expected_flows)
|
constants.INGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
Loading…
Reference in New Issue