Browse Source

Merge "ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled" into stable/rocky

changes/48/763348/1
Zuul 11 months ago
committed by Gerrit Code Review
parent
commit
37b72da852
  1. 14
      neutron/agent/linux/openvswitch_firewall/firewall.py
  2. 10
      releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml

14
neutron/agent/linux/openvswitch_firewall/firewall.py

@ -1309,6 +1309,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
)
# NOTE: The OUTPUT action is used instead of NORMAL action to reduce
# cpu utilization, but it causes the datapath rule to be flood rule.
# This is due to mac learning not happened on ingress traffic.
# While this is ok for no offload case, in ovs offload flood rule
# is not offloaded. Therefore, we change the action to be NORMAL in
# offload case. In case the explicitly_egress_direct is used the
# pipeline don't contain action NORMAL so we don't have flood rule
# issue.
actions = 'output:{:d}'.format(port.ofport)
if (self.int_br.br.is_hw_offload_enabled and
not cfg.CONF.AGENT.explicitly_egress_direct):
actions = 'mod_vlan_vid:{:d},normal'.format(port.vlan_tag)
# Allow established and related connections
for state in (ovsfw_consts.OF_STATE_ESTABLISHED_REPLY,
ovsfw_consts.OF_STATE_RELATED):
@ -1319,7 +1331,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=state,
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
ct_zone=port.vlan_tag,
actions='output:{:d}'.format(port.ofport)
actions=actions
)
self._add_flow(
table=ovs_consts.RULES_INGRESS_TABLE,

10
releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml

@ -0,0 +1,10 @@
---
fixes:
- |
Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce
the usage of normal actions to reduce cpu utilization. This causing flood
rule because there is no MAC learning on ingress traffic. While this ok
for none offload case, when using ovs offload flood rule is not
offloaded. This fix the MAC learning in the offload, so we avoid flood
rule.
`#1897637 <https://bugs.launchpad.net/neutron/+bug/1897637>`_.
Loading…
Cancel
Save