OVS flows for custom ethertypes must be on EGRESS

Some traffic does not work if the OVS flows to permit custom ethertypes are not set on the base egress table. If the rule is added to the base egress table then both ingress and egress work properly. Also move initialization code to the function to initialize egress. Related-Bug: #1832758 Change-Id: Ia312fe75df58723bf41804eec4bd918d223bd60c (cherry picked from commit fb859966f7)
2019-08-22 10:13:00 -04:00 · 2019-08-22 10:13:00 -04:00 · 99eaf3eeee
parent b3d3d6d643
commit 99eaf3eeee
1 changed files with 21 additions and 19 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -884,6 +884,27 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
        )

+        # Allow custom ethertypes
+        for permitted_ethertype in self.permitted_ethertypes:
+            if permitted_ethertype[:2] == '0x':
+                try:
+                    hex_ethertype = hex(int(permitted_ethertype, base=16))
+                    action = ('resubmit(,%d)' %
+                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
+                    self._add_flow(
+                        table=ovs_consts.BASE_EGRESS_TABLE,
+                        priority=95,
+                        dl_type=hex_ethertype,
+                        reg_port=port.ofport,
+                        actions=action
+                    )
+                    continue
+                except ValueError:
+                    pass
+            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
+                        "a hexadecimal number.",
+                        {'permitted_ethertype': permitted_ethertype})
+
        # Drop all remaining egress connections
        self._add_flow(
            table=ovs_consts.BASE_EGRESS_TABLE,
@ -1000,25 +1021,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            actions='output:{:d}'.format(port.ofport)
        )

-        # Allow custom ethertypes
-        for permitted_ethertype in self.permitted_ethertypes:
-            if permitted_ethertype[:2] == '0x':
-                try:
-                    hex_ethertype = hex(int(permitted_ethertype, base=16))
-                    self._add_flow(
-                        table=ovs_consts.BASE_INGRESS_TABLE,
-                        priority=100,
-                        dl_type=hex_ethertype,
-                        reg_port=port.ofport,
-                        actions='output:{:d}'.format(port.ofport)
-                    )
-                    continue
-                except ValueError:
-                    pass
-            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
-                        "a hexadecimal number.",
-                        {'permitted_ethertype': permitted_ethertype})
-
        self._initialize_ingress_ipv6_icmp(port)

        # DHCP offers