Merge "Add a default goto table=94 for openvswitch fw"
This commit is contained in:
commit
bee9bde182
@ -525,6 +525,19 @@ will be:
|
|||||||
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||||
table=94, priority=1 actions=NORMAL
|
table=94, priority=1 actions=NORMAL
|
||||||
|
|
||||||
|
The OVS firewall will initialize a default goto table 94 flow
|
||||||
|
on TRANSIENT_TABLE |table_60|, if ``explicitly_egress_direct``
|
||||||
|
is set to True, which is mainly for ports without security groups
|
||||||
|
and disabled port_security. For instance:
|
||||||
|
|
||||||
|
::
|
||||||
|
table=60, priority=2 actions=resubmit(,94)
|
||||||
|
|
||||||
|
Then for packets from the outside to VM without security functionalities
|
||||||
|
(--disable-port-security --no-security-group)
|
||||||
|
will go to table 94 and do the same direct actions.
|
||||||
|
|
||||||
|
|
||||||
OVS firewall integration points
|
OVS firewall integration points
|
||||||
-------------------------------
|
-------------------------------
|
||||||
|
|
||||||
|
@ -649,6 +649,14 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||||||
'resubmit(,%d)' % ovs_consts.BASE_EGRESS_TABLE,
|
'resubmit(,%d)' % ovs_consts.BASE_EGRESS_TABLE,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if cfg.CONF.AGENT.explicitly_egress_direct:
|
||||||
|
self._add_flow(
|
||||||
|
table=ovs_consts.TRANSIENT_TABLE,
|
||||||
|
priority=2,
|
||||||
|
actions='resubmit(,%d)' % (
|
||||||
|
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
|
||||||
|
)
|
||||||
|
|
||||||
def _initialize_third_party_tables(self):
|
def _initialize_third_party_tables(self):
|
||||||
self.int_br.br.add_flow(
|
self.int_br.br.add_flow(
|
||||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||||
@ -1258,6 +1266,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||||||
return
|
return
|
||||||
|
|
||||||
# Prevent flood for accepted egress traffic
|
# Prevent flood for accepted egress traffic
|
||||||
|
# For packets from internal ports or VM ports.
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
flow_group_id=dst_port,
|
flow_group_id=dst_port,
|
||||||
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||||
@ -1266,6 +1275,15 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||||||
reg_net=vlan_tag,
|
reg_net=vlan_tag,
|
||||||
actions='output:{:d}'.format(dst_port)
|
actions='output:{:d}'.format(dst_port)
|
||||||
)
|
)
|
||||||
|
# For packets from patch ports.
|
||||||
|
self._add_flow(
|
||||||
|
flow_group_id=dst_port,
|
||||||
|
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||||
|
priority=12,
|
||||||
|
dl_dst=mac,
|
||||||
|
dl_vlan=vlan_tag,
|
||||||
|
actions='strip_vlan,output:{:d}'.format(dst_port)
|
||||||
|
)
|
||||||
|
|
||||||
# The former flow may not match, that means the destination port is
|
# The former flow may not match, that means the destination port is
|
||||||
# not in this host. So, we direct the packet to mapped bridge(s).
|
# not in this host. So, we direct the packet to mapped bridge(s).
|
||||||
@ -1314,6 +1332,12 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||||||
dl_src=mac,
|
dl_src=mac,
|
||||||
reg_net=vlan_tag)
|
reg_net=vlan_tag)
|
||||||
|
|
||||||
|
self._delete_flows(
|
||||||
|
table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||||
|
dl_dst=mac,
|
||||||
|
dl_vlan=vlan_tag
|
||||||
|
)
|
||||||
|
|
||||||
def _initialize_tracked_egress(self, port):
|
def _initialize_tracked_egress(self, port):
|
||||||
# Drop invalid packets
|
# Drop invalid packets
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
|
@ -222,12 +222,16 @@ agent_opts = [
|
|||||||
"outgoing IP packet carrying GRE/VXLAN tunnel.")),
|
"outgoing IP packet carrying GRE/VXLAN tunnel.")),
|
||||||
cfg.BoolOpt('baremetal_smartnic', default=False,
|
cfg.BoolOpt('baremetal_smartnic', default=False,
|
||||||
help=_("Enable the agent to process Smart NIC ports.")),
|
help=_("Enable the agent to process Smart NIC ports.")),
|
||||||
|
# TODO(liuyulong): consider adding a new configuration
|
||||||
|
# item to control ingress behavior.
|
||||||
cfg.BoolOpt('explicitly_egress_direct', default=False,
|
cfg.BoolOpt('explicitly_egress_direct', default=False,
|
||||||
help=_("When set to True, the accepted egress unicast "
|
help=_("When set to True, the accepted egress unicast "
|
||||||
"traffic will not use action NORMAL. The accepted "
|
"traffic will not use action NORMAL. The accepted "
|
||||||
"egress packets will be taken care of in the final "
|
"egress packets will be taken care of in the final "
|
||||||
"egress tables direct output flows for unicast "
|
"egress tables direct output flows for unicast "
|
||||||
"traffic.")),
|
"traffic. This will aslo change the pipleline for "
|
||||||
|
"ingress traffic to ports without security, the final "
|
||||||
|
"output action will be hit in table 94. ")),
|
||||||
]
|
]
|
||||||
|
|
||||||
dhcp_opts = [
|
dhcp_opts = [
|
||||||
|
@ -64,7 +64,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
|
|||||||
self.install_goto(dest_table_id=PACKET_RATE_LIMIT)
|
self.install_goto(dest_table_id=PACKET_RATE_LIMIT)
|
||||||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
|
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
|
||||||
table_id=PACKET_RATE_LIMIT)
|
table_id=PACKET_RATE_LIMIT)
|
||||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=1)
|
||||||
self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
|
self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
|
||||||
enable_dhcpv6=enable_dhcpv6)
|
enable_dhcpv6=enable_dhcpv6)
|
||||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||||
|
@ -920,8 +920,13 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||||||
"reg6": port.vlan_tag}
|
"reg6": port.vlan_tag}
|
||||||
flow7 = mock.call(**call_args7)
|
flow7 = mock.call(**call_args7)
|
||||||
|
|
||||||
|
call_args8 = {"table": ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
|
||||||
|
"dl_dst": port.mac,
|
||||||
|
"dl_vlan": port.vlan_tag}
|
||||||
|
flow8 = mock.call(**call_args8)
|
||||||
|
|
||||||
self.mock_bridge.br.delete_flows.assert_has_calls(
|
self.mock_bridge.br.delete_flows.assert_has_calls(
|
||||||
[flow1, flow2, flow3, flow6, flow7, flow4, flow5])
|
[flow1, flow2, flow3, flow6, flow7, flow8, flow4, flow5])
|
||||||
|
|
||||||
def test_prepare_port_filter_initialized_port(self):
|
def test_prepare_port_filter_initialized_port(self):
|
||||||
port_dict = {'device': 'port-id',
|
port_dict = {'device': 'port-id',
|
||||||
|
@ -75,7 +75,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
|||||||
]),
|
]),
|
||||||
],
|
],
|
||||||
match=ofpp.OFPMatch(),
|
match=ofpp.OFPMatch(),
|
||||||
priority=3,
|
priority=1,
|
||||||
table_id=ovs_constants.TRANSIENT_TABLE),
|
table_id=ovs_constants.TRANSIENT_TABLE),
|
||||||
active_bundle=None),
|
active_bundle=None),
|
||||||
call._send_msg(ofpp.OFPFlowMod(dp,
|
call._send_msg(ofpp.OFPFlowMod(dp,
|
||||||
|
Loading…
Reference in New Issue
Block a user