Merge "Adding new tables for future consumption"
This commit is contained in:
Zuul
Gerrit Code Review
commit
469593e84d
|
|
@ -241,6 +241,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
self._deferred = False
|
||||
self.sg_enabled = sg_enabled
|
||||
self._drop_all_unmatched_flows()
|
||||
self._initialize_third_party_tables()
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
def _accept_flow(self, **flow):
|
||||
|
|
@ -294,6 +295,16 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
continue
|
||||
self.int_br.br.add_flow(table=table, priority=0, actions='drop')
|
||||
|
||||
def _initialize_third_party_tables(self):
|
||||
self.int_br.br.add_flow(
|
||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE,
|
||||
priority=1,
|
||||
actions='normal')
|
||||
for table in (ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE,
|
||||
ovs_consts.DROPPED_TRAFFIC_TABLE):
|
||||
self.int_br.br.add_flow(
|
||||
table=table, priority=0, actions='drop')
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
def get_ovs_port(self, port_id):
|
||||
ovs_port = self.int_br.br.get_vif_port_by_id(port_id)
|
||||
|
|
@ -520,7 +531,8 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='normal'
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
|
@ -557,7 +569,8 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=ovs_port.ofport,
|
||||
actions='normal'
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
|
@ -596,7 +609,8 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_src=mac_addr,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
arp_spa=ip_addr,
|
||||
actions='normal'
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
|
||||
|
|
@ -661,7 +675,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
# Drop Router Advertisements from instances
|
||||
|
|
@ -673,7 +687,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=lib_const.ICMPV6_TYPE_RA,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
# Drop all remaining not tracked egress connections
|
||||
|
|
@ -683,7 +697,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_state=fwaas_ovs_consts.OF_STATE_NOT_TRACKED,
|
||||
in_port=port.ofport,
|
||||
reg_port=port.ofport,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
# Fill in accept_or_ingress table by checking that traffic is ingress
|
||||
|
|
@ -710,14 +724,17 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=ethertype,
|
||||
reg_port=port.ofport,
|
||||
ct_state=fwaas_ovs_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),normal'.
|
||||
format(fwaas_ovs_consts.REG_NET)
|
||||
actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),'
|
||||
'resubmit(,{:d})'.format(
|
||||
fwaas_ovs_consts.REG_NET,
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=port.ofport,
|
||||
actions='normal'
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
|
@ -728,7 +745,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
||||
priority=50,
|
||||
ct_state=fwaas_ovs_consts.OF_STATE_INVALID,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
# Drop traffic for removed fwg rules
|
||||
self._add_flow(
|
||||
|
|
@ -736,7 +753,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
priority=50,
|
||||
reg_port=port.ofport,
|
||||
ct_mark=fwaas_ovs_consts.CT_MARK_INVALID,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
for state in (
|
||||
|
|
@ -750,14 +767,15 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
reg_port=port.ofport,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='normal'
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
||||
priority=40,
|
||||
reg_port=port.ofport,
|
||||
ct_state=fwaas_ovs_consts.OF_STATE_NOT_ESTABLISHED,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
|
||||
self._add_flow(
|
||||
|
|
@ -784,7 +802,9 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
|
@ -796,7 +816,9 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
priority=100,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
reg_port=port.ofport,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
)
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
|
|
@ -812,7 +834,9 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
)
|
||||
|
||||
# Track untracked
|
||||
|
|
@ -844,7 +868,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
priority=50,
|
||||
ct_state=fwaas_ovs_consts.OF_STATE_INVALID,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
# Drop traffic for removed fwg rules
|
||||
self._add_flow(
|
||||
|
|
@ -852,7 +876,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
priority=50,
|
||||
reg_port=port.ofport,
|
||||
ct_mark=fwaas_ovs_consts.CT_MARK_INVALID,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
# Allow established and related connections
|
||||
|
|
@ -865,14 +889,16 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_state=state,
|
||||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
priority=40,
|
||||
reg_port=port.ofport,
|
||||
ct_state=fwaas_ovs_consts.OF_STATE_NOT_ESTABLISHED,
|
||||
actions='drop'
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
|
||||
self._add_flow(
|
||||
|
|
|
|||
|
|
@ -87,7 +87,9 @@ def populate_flow_common(direction, flow_template, port):
|
|||
"""Initialize common flow fields."""
|
||||
if direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
|
||||
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
elif direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
|
||||
# Traffic can be both ingress and egress, check that no ingress rules
|
||||
|
|
@ -196,5 +198,9 @@ def create_accept_flows(flow, sg_enabled=False):
|
|||
def create_drop_flows(flow):
|
||||
if flow['table'] in [fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
fwaas_ovs_consts.FW_RULES_EGRESS_TABLE]:
|
||||
flow['actions'] = 'drop'
|
||||
return [flow]
|
||||
flow['actions'] = 'resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
flow['ct_state'] = fwaas_ovs_consts.OF_STATE_NEW_NOT_ESTABLISHED
|
||||
result = [flow.copy()]
|
||||
flow['ct_state'] = fwaas_ovs_consts.OF_STATE_ESTABLISHED_NOT_REPLY
|
||||
result.append(flow)
|
||||
return result
|
||||
|
|
|
|||
|
|
@ -435,7 +435,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||
table=ovs_consts.TRANSIENT_TABLE)
|
||||
filter_rule = mock.call(
|
||||
actions='ct(commit,zone=NXM_NX_REG6[0..15]),'
|
||||
'output:{:d}'.format(self.port_ofport),
|
||||
'output:{:d},resubmit(,{:d})'.format(
|
||||
self.port_ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
|
||||
nw_proto=constants.PROTO_NUM_TCP,
|
||||
priority=70,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ import mock
|
|||
from neutron_lib import constants
|
||||
|
||||
from neutron.common import constants as n_const
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||
as ovs_consts
|
||||
from neutron.tests import base
|
||||
|
||||
from neutron_fwaas.services.firewall.drivers.linux.l2.openvswitch_firewall \
|
||||
|
|
@ -187,7 +189,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||
expected_flows = [{
|
||||
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
'actions': 'output:1',
|
||||
'actions': 'output:1,resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
prelude: >
|
||||
Adding new tables for future consumption.
|
||||
features:
|
||||
- |
|
||||
New tables ``ACCEPTED_EGRESS_TRAFFIC_TABLE=91``
|
||||
and ``ACCEPTED_INGRESS_TRAFFIC_TABLE=92`` & ``DROPPED_TRAFFIC_TABLE=93``
|
||||
are added to OVS based FWaaS L2 driver for future comsumption like logging
|
||||
service.
|
||||
fixes:
|
||||
- |
|
||||
The limitation related to logging for security group in case of
|
||||
co-existence between SG and FWG is also fixed.
|
||||
Loading…
Reference in New Issue