openstack
/
neutron
Code Issues Proposed changes

"ebtables-nft" MAC rule deletion failing 

"ebtables-nft" is failing to delete the rule filtering by MAC address:
  Bridge chain: neutronMAC-test-veth024379, entries: 2, policy: DROP
  -i test-veth024379 --among-src fa:16:3e:47:87:0 -j RETURN
  -j DROP

A workaround for this issue, that works with both "ebtables-nft" and
"ebtables-legacy", is to flush the table and recreate the DROP rule.
The MAC spoofing tables have two rules: the one filtering by MAC address
and the default DROP rule. This workaround has the same effect as just
deleting the filtering rule.

Closes-Bug: #2038541
Change-Id: I38bd016c35d7a76d88c6eceec797d1cea84c45d1
This commit is contained in:
Rodolfo Alonso Hernandez 2023-10-16 00:09:50 +00:00
parent 55c20cdf1a
commit 1879d92533
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
View File

@ -201,7 +201,9 @@ def _delete_vif_mac_rules(vif, current_rules):
chain = _mac_chain_name(vif)
for rule in current_rules:
if '-i %s' % vif in rule and '--among-src' in rule:
ebtables(['-D', chain] + rule.split())
# Flush the table and recreate the default DROP rule.
ebtables(['-F', chain])
ebtables(['-A', chain, '-j', 'DROP'])
def _delete_mac_spoofing_protection(vifs, current_rules, table, chain):