From 99eaf3eeee415e7862ce31d0c41668f45e5e406e Mon Sep 17 00:00:00 2001
From: Nate Johnston <nate.johnston@redhat.com>
Date: Thu, 22 Aug 2019 10:13:00 -0400
Subject: [PATCH] OVS flows for custom ethertypes must be on EGRESS

Some traffic does not work if the OVS flows to permit custom ethertypes
are not set on the base egress table.  If the rule is added to the base
egress table then both ingress and egress work properly.  Also move
initialization code to the function to initialize egress.

Related-Bug: #1832758
Change-Id: Ia312fe75df58723bf41804eec4bd918d223bd60c
(cherry picked from commit fb859966f79fc0f4fbb2c2ea3c0e6b4c17a9704f)
---
 .../linux/openvswitch_firewall/firewall.py    | 40 ++++++++++---------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index 786a2d6a199..76cb83fd6c8 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -884,6 +884,27 @@ class OVSFirewallDriver(firewall.FirewallDriver):
             actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
         )
 
+        # Allow custom ethertypes
+        for permitted_ethertype in self.permitted_ethertypes:
+            if permitted_ethertype[:2] == '0x':
+                try:
+                    hex_ethertype = hex(int(permitted_ethertype, base=16))
+                    action = ('resubmit(,%d)' %
+                        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
+                    self._add_flow(
+                        table=ovs_consts.BASE_EGRESS_TABLE,
+                        priority=95,
+                        dl_type=hex_ethertype,
+                        reg_port=port.ofport,
+                        actions=action
+                    )
+                    continue
+                except ValueError:
+                    pass
+            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
+                        "a hexadecimal number.",
+                        {'permitted_ethertype': permitted_ethertype})
+
         # Drop all remaining egress connections
         self._add_flow(
             table=ovs_consts.BASE_EGRESS_TABLE,
@@ -1000,25 +1021,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
             actions='output:{:d}'.format(port.ofport)
         )
 
-        # Allow custom ethertypes
-        for permitted_ethertype in self.permitted_ethertypes:
-            if permitted_ethertype[:2] == '0x':
-                try:
-                    hex_ethertype = hex(int(permitted_ethertype, base=16))
-                    self._add_flow(
-                        table=ovs_consts.BASE_INGRESS_TABLE,
-                        priority=100,
-                        dl_type=hex_ethertype,
-                        reg_port=port.ofport,
-                        actions='output:{:d}'.format(port.ofport)
-                    )
-                    continue
-                except ValueError:
-                    pass
-            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
-                        "a hexadecimal number.",
-                        {'permitted_ethertype': permitted_ethertype})
-
         self._initialize_ingress_ipv6_icmp(port)
 
         # DHCP offers