Merge "Add a default goto table=94 for openvswitch fw"
This commit is contained in:
commit
bee9bde182
@ -525,6 +525,19 @@ will be:
|
||||
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||
table=94, priority=1 actions=NORMAL
|
||||
|
||||
The OVS firewall will initialize a default goto table 94 flow
|
||||
on TRANSIENT_TABLE |table_60|, if ``explicitly_egress_direct``
|
||||
is set to True, which is mainly for ports without security groups
|
||||
and disabled port_security. For instance:
|
||||
|
||||
::
|
||||
table=60, priority=2 actions=resubmit(,94)
|
||||
|
||||
Then for packets from the outside to VM without security functionalities
|
||||
(--disable-port-security --no-security-group)
|
||||
will go to table 94 and do the same direct actions.
|
||||
|
||||
|
||||
OVS firewall integration points
|
||||
-------------------------------
|
||||
|
||||
|
@ -649,6 +649,14 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
'resubmit(,%d)' % ovs_consts.BASE_EGRESS_TABLE,
|
||||
)
|
||||
|
||||
if cfg.CONF.AGENT.explicitly_egress_direct:
|
||||
self._add_flow(
|
||||
table=ovs_consts.TRANSIENT_TABLE,
|
||||
priority=2,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
|
||||
)
|
||||
|
||||
def _initialize_third_party_tables(self):
|
||||
self.int_br.br.add_flow(
|
||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||
@ -1258,6 +1266,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
return
|
||||
|
||||
# Prevent flood for accepted egress traffic
|
||||
# For packets from internal ports or VM ports.
|
||||
self._add_flow(
|
||||
flow_group_id=dst_port,
|
||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||
@ -1266,6 +1275,15 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
reg_net=vlan_tag,
|
||||
actions='output:{:d}'.format(dst_port)
|
||||
)
|
||||
# For packets from patch ports.
|
||||
self._add_flow(
|
||||
flow_group_id=dst_port,
|
||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||
priority=12,
|
||||
dl_dst=mac,
|
||||
dl_vlan=vlan_tag,
|
||||
actions='strip_vlan,output:{:d}'.format(dst_port)
|
||||
)
|
||||
|
||||
# The former flow may not match, that means the destination port is
|
||||
# not in this host. So, we direct the packet to mapped bridge(s).
|
||||
@ -1314,6 +1332,12 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
dl_src=mac,
|
||||
reg_net=vlan_tag)
|
||||
|
||||
self._delete_flows(
|
||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||
dl_dst=mac,
|
||||
dl_vlan=vlan_tag
|
||||
)
|
||||
|
||||
def _initialize_tracked_egress(self, port):
|
||||
# Drop invalid packets
|
||||
self._add_flow(
|
||||
|
@ -222,12 +222,16 @@ agent_opts = [
|
||||
"outgoing IP packet carrying GRE/VXLAN tunnel.")),
|
||||
cfg.BoolOpt('baremetal_smartnic', default=False,
|
||||
help=_("Enable the agent to process Smart NIC ports.")),
|
||||
# TODO(liuyulong): consider adding a new configuration
|
||||
# item to control ingress behavior.
|
||||
cfg.BoolOpt('explicitly_egress_direct', default=False,
|
||||
help=_("When set to True, the accepted egress unicast "
|
||||
"traffic will not use action NORMAL. The accepted "
|
||||
"egress packets will be taken care of in the final "
|
||||
"egress tables direct output flows for unicast "
|
||||
"traffic.")),
|
||||
"traffic. This will aslo change the pipleline for "
|
||||
"ingress traffic to ports without security, the final "
|
||||
"output action will be hit in table 94. ")),
|
||||
]
|
||||
|
||||
dhcp_opts = [
|
||||
|
@ -64,7 +64,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
|
||||
self.install_goto(dest_table_id=PACKET_RATE_LIMIT)
|
||||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
|
||||
table_id=PACKET_RATE_LIMIT)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=1)
|
||||
self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
|
||||
enable_dhcpv6=enable_dhcpv6)
|
||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||
|
@ -920,8 +920,13 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
||||
"reg6": port.vlan_tag}
|
||||
flow7 = mock.call(**call_args7)
|
||||
|
||||
call_args8 = {"table": ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||
"dl_dst": port.mac,
|
||||
"dl_vlan": port.vlan_tag}
|
||||
flow8 = mock.call(**call_args8)
|
||||
|
||||
self.mock_bridge.br.delete_flows.assert_has_calls(
|
||||
[flow1, flow2, flow3, flow6, flow7, flow4, flow5])
|
||||
[flow1, flow2, flow3, flow6, flow7, flow8, flow4, flow5])
|
||||
|
||||
def test_prepare_port_filter_initialized_port(self):
|
||||
port_dict = {'device': 'port-id',
|
||||
|
@ -75,7 +75,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
||||
]),
|
||||
],
|
||||
match=ofpp.OFPMatch(),
|
||||
priority=3,
|
||||
priority=1,
|
||||
table_id=ovs_constants.TRANSIENT_TABLE),
|
||||
active_bundle=None),
|
||||
call._send_msg(ofpp.OFPFlowMod(dp,
|
||||
|
Loading…
Reference in New Issue
Block a user