ovsfw: Remove vlan tag before injecting packets to port
Open vSwitch takes care of vlan tagging in case normal switching is
used. When ingress traffic packets are accepted, the
actions=output:<port_number> is used but we need to explicitly take care
of stripping out the vlan tags.
Closes-Bug: 1564947
Change-Id: If3fc44c9fd1ac0f7bc9dfe9dc48e76352e981f8e
(cherry picked from commit 0f9ec7b72a
)
This commit is contained in:
parent
c6ef57a6d5
commit
d93466923f
|
@ -246,27 +246,28 @@ remaining egress connections are sent to normal switching.
|
|||
table=73, priority=0 actions=drop
|
||||
|
||||
``table 81`` is similar to ``table 71``, allows basic ingress traffic for
|
||||
obtaining ip address and arp queries. Not tracked packets are sent to obtain
|
||||
conntrack information.
|
||||
obtaining ip address and arp queries. Note that vlan tag must be removed by
|
||||
adding ``strip_vlan`` to actions list, prior to injecting packet directly to
|
||||
port. Not tracked packets are sent to obtain conntrack information.
|
||||
|
||||
::
|
||||
|
||||
table=81, priority=100,arp,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
|
||||
table=81, priority=100,arp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=130 actions=output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=131 actions=output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=132 actions=output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=135 actions=output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=136 actions=output:1
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=130 actions=output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=131 actions=output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=132 actions=output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=135 actions=output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=136 actions=output:2
|
||||
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=output:1
|
||||
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=output:1
|
||||
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=output:2
|
||||
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=output:2
|
||||
table=81, priority=100,arp,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
|
||||
table=81, priority=100,arp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=130 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=131 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=132 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=135 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=136 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=130 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=131 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=132 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=135 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=136 actions=strip_vlan,output:2
|
||||
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1
|
||||
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1
|
||||
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2
|
||||
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2
|
||||
table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
|
@ -282,8 +283,8 @@ connections. In this case we allow all icmp traffic coming from
|
|||
|
||||
::
|
||||
|
||||
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=output:2
|
||||
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=output:2,ct(commit,zone=NXM_NX_REG6[0..15])
|
||||
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=strip_vlan,output:2
|
||||
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2
|
||||
table=82, priority=50,ct_state=+inv+trk actions=drop
|
||||
|
||||
The mechanism for dropping connections that are not allowed anymore is the
|
||||
|
@ -293,10 +294,10 @@ same as in ``table 72``.
|
|||
|
||||
table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=drop
|
||||
table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=drop
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
|
||||
table=82, priority=40,ct_state=-est,reg5=0x1 actions=drop
|
||||
table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
|
||||
table=82, priority=40,ct_state=-est,reg5=0x2 actions=drop
|
||||
|
@ -307,6 +308,7 @@ same as in ``table 72``.
|
|||
Future work
|
||||
-----------
|
||||
|
||||
- Create fullstack tests with tunneling enabled
|
||||
- Conjunctions in Openflow rules can be created to decrease the number of
|
||||
rules needed for remote security groups
|
||||
- Masking the port range can be used to avoid generating a single rule per
|
||||
|
|
|
@ -204,8 +204,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
self._add_flow(**flow)
|
||||
flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED
|
||||
if flow['table'] == ovs_consts.RULES_INGRESS_TABLE:
|
||||
flow['actions'] += ',ct(commit,zone=NXM_NX_REG{:d}[0..15])'.format(
|
||||
ovsfw_consts.REG_NET)
|
||||
flow['actions'] = (
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
|
||||
ovsfw_consts.REG_NET, flow['actions']))
|
||||
self._add_flow(**flow)
|
||||
|
||||
def _add_flow(self, **kwargs):
|
||||
|
@ -549,7 +550,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=constants.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='strip_vlan,output:{:d}'.format(port.ofport),
|
||||
)
|
||||
|
||||
def _initialize_ingress(self, port):
|
||||
|
@ -560,7 +561,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
dl_type=constants.ETHERTYPE_ARP,
|
||||
reg_port=port.ofport,
|
||||
dl_dst=port.mac,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='strip_vlan,output:{:d}'.format(port.ofport),
|
||||
)
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
|
@ -576,7 +577,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
nw_proto=constants.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='output:{:d}'.format(port.ofport),
|
||||
actions='strip_vlan,output:{:d}'.format(port.ofport),
|
||||
)
|
||||
|
||||
# Track untracked
|
||||
|
@ -628,7 +629,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
ct_state=state,
|
||||
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
actions='strip_vlan,output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._add_flow(
|
||||
table=ovs_consts.RULES_INGRESS_TABLE,
|
||||
|
|
|
@ -71,7 +71,7 @@ def create_protocol_flows(direction, flow_template, port, rule):
|
|||
if direction == firewall.INGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||
flow_template['dl_dst'] = port.mac
|
||||
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||
flow_template['actions'] = "strip_vlan,output:{:d}".format(port.ofport)
|
||||
elif direction == firewall.EGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||
flow_template['dl_src'] = port.mac
|
||||
|
|
|
@ -374,8 +374,8 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||
priority=90,
|
||||
table=ovs_consts.LOCAL_SWITCHING)
|
||||
filter_rule = mock.call(
|
||||
actions='output:{:d},ct(commit,zone=NXM_NX_REG6[0..15])'.format(
|
||||
self.port_ofport),
|
||||
actions='ct(commit,zone=NXM_NX_REG6[0..15]),'
|
||||
'strip_vlan,output:{:d}'.format(self.port_ofport),
|
||||
dl_dst=self.port_mac,
|
||||
dl_type="0x{:04x}".format(constants.ETHERTYPE_IP),
|
||||
nw_proto=constants.PROTO_NUM_TCP,
|
||||
|
|
|
@ -185,7 +185,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||
expected_flows = [{
|
||||
'table': ovs_consts.RULES_INGRESS_TABLE,
|
||||
'dl_dst': self.port.mac,
|
||||
'actions': 'output:1',
|
||||
'actions': 'strip_vlan,output:1',
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
|
|
Loading…
Reference in New Issue