raise priority of dead vlan drop

- This change adds a max priority flow to drop all traffic that is associated with the DEAD VLAN 4095. - This change is part of a partial mitigation of bug 1734320. Without this change vlan 4095 traffic will be dropped via a low priority flow after being processed by part/all of the openflow pipeline. By raising the priorty and droping in table 0 we drop invalid packets as soon as they enter the pipeline. Conflicts: neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py Change-Id: I3482c7c4f00942828cc9396cd2f3d646c9e8c9d1 Partial-Bug: #1734320 (cherry picked from commit e3dc447b90)
2018-11-08 16:07:55 +00:00 · 2018-11-08 16:07:55 +00:00 · 9b0919e648
parent b3d3d6d643
commit 9b0919e648
5 changed files with 16 additions and 0 deletions
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/common/constants.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/common/constants.py
@ -189,6 +189,8 @@ OPENFLOW12 = "OpenFlow12"
 OPENFLOW13 = "OpenFlow13"
 OPENFLOW14 = "OpenFlow14"

+OPENFLOW_MAX_PRIORITY = 65535
+
 # A placeholder for dead vlans.
 DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1

--- a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
@ -45,6 +45,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
        self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
        self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
+        self.install_drop(table_id=constants.LOCAL_SWITCHING,
+                          priority=constants.OPENFLOW_MAX_PRIORITY,
+                          vlan_vid=constants.DEAD_VLAN_TAG)

    def setup_canary_table(self):
        self.install_drop(constants.CANARY_TABLE)
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_int.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_int.py
@ -37,6 +37,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
        self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
        self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
+        self.install_drop(table_id=constants.LOCAL_SWITCHING,
+                          priority=constants.OPENFLOW_MAX_PRIORITY,
+                          dl_vlan=constants.DEAD_VLAN_TAG)

    def setup_canary_table(self):
        self.install_drop(constants.CANARY_TABLE)
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
@ -64,6 +64,12 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
                match=ofpp.OFPMatch(),
                priority=0,
                table_id=24)),
+            call._send_msg(ofpp.OFPFlowMod(dp,
+                cookie=self.stamp,
+                instructions=[],
+                match=ofpp.OFPMatch(vlan_vid=4095),
+                priority=65535,
+                table_id=0)),
        ]
        self.assertEqual(expected, self.mock.mock_calls)

--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/test_br_int.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/test_br_int.py
@ -37,6 +37,8 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
            call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
            call.add_flow(priority=3, table=60, actions='normal'),
            call.add_flow(priority=0, table=24, actions='drop'),
+            call.add_flow(actions='drop', dl_vlan=4095,
+                          priority=65535, table=0)
        ]
        self.assertEqual(expected, self.mock.mock_calls)