openstack
/
neutron
Code Issues Proposed changes

ovsfw: Remove vlan tag before injecting packets to port 

Open vSwitch takes care of vlan tagging in case normal switching is
used. When ingress traffic packets are accepted, the
actions=output:<port_number> is used but we need to explicitly take care
of stripping out the vlan tags.

Closes-Bug: 1564947
Change-Id: If3fc44c9fd1ac0f7bc9dfe9dc48e76352e981f8e
(cherry picked from commit 0f9ec7b72a)
This commit is contained in:
Jakub Libosvar 2016-04-01 14:53:03 +00:00
parent c6ef57a6d5
commit d93466923f
5 changed files with 37 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
doc/source/devref/openvswitch_firewall.rst
View File

@ -246,27 +246,28 @@ remaining egress connections are sent to normal switching.
table=73, priority=0 actions=drop
``table 81`` is similar to ``table 71``, allows basic ingress traffic for
obtaining ip address and arp queries. Not tracked packets are sent to obtain
conntrack information.
obtaining ip address and arp queries. Note that vlan tag must be removed by
adding ``strip_vlan`` to actions list, prior to injecting packet directly to
port. Not tracked packets are sent to obtain conntrack information.
::
table=81, priority=100,arp,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
table=81, priority=100,arp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=130 actions=output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=131 actions=output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=132 actions=output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=135 actions=output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=136 actions=output:1
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=130 actions=output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=131 actions=output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=132 actions=output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=135 actions=output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=136 actions=output:2
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=output:1
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=output:1
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=output:2
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=output:2
table=81, priority=100,arp,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=81, priority=100,arp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=130 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=131 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=132 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=135 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=136 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=130 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=131 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=132 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=135 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=136 actions=strip_vlan,output:2
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2
table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
@ -282,8 +283,8 @@ connections. In this case we allow all icmp traffic coming from
::
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=output:2
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=output:2,ct(commit,zone=NXM_NX_REG6[0..15])
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=strip_vlan,output:2
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2
table=82, priority=50,ct_state=+inv+trk actions=drop
The mechanism for dropping connections that are not allowed anymore is the
@ -293,10 +294,10 @@ same as in ``table 72``.
table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=drop
table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=drop
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=output:1
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=output:2
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=82, priority=40,ct_state=-est,reg5=0x1 actions=drop
table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
table=82, priority=40,ct_state=-est,reg5=0x2 actions=drop
@ -307,6 +308,7 @@ same as in ``table 72``.
Future work
-----------
- Create fullstack tests with tunneling enabled
- Conjunctions in Openflow rules can be created to decrease the number of
rules needed for remote security groups
- Masking the port range can be used to avoid generating a single rule per

13
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@ -204,8 +204,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
self._add_flow(**flow)
flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED
if flow['table'] == ovs_consts.RULES_INGRESS_TABLE:
flow['actions'] += ',ct(commit,zone=NXM_NX_REG{:d}[0..15])'.format(
ovsfw_consts.REG_NET)
flow['actions'] = (
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
ovsfw_consts.REG_NET, flow['actions']))
self._add_flow(**flow)
def _add_flow(self, **kwargs):
@ -549,7 +550,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=constants.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
actions='output:{:d}'.format(port.ofport),
actions='strip_vlan,output:{:d}'.format(port.ofport),
)
def _initialize_ingress(self, port):
@ -560,7 +561,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
dl_type=constants.ETHERTYPE_ARP,
reg_port=port.ofport,
dl_dst=port.mac,
actions='output:{:d}'.format(port.ofport),
actions='strip_vlan,output:{:d}'.format(port.ofport),
)
self._initialize_ingress_ipv6_icmp(port)
@ -576,7 +577,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
nw_proto=constants.PROTO_NUM_UDP,
tp_src=src_port,
tp_dst=dst_port,
actions='output:{:d}'.format(port.ofport),
actions='strip_vlan,output:{:d}'.format(port.ofport),
)
# Track untracked
@ -628,7 +629,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=state,
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
ct_zone=port.vlan_tag,
actions='output:{:d}'.format(port.ofport)
actions='strip_vlan,output:{:d}'.format(port.ofport)
)
self._add_flow(
table=ovs_consts.RULES_INGRESS_TABLE,

2
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@ -71,7 +71,7 @@ def create_protocol_flows(direction, flow_template, port, rule):
if direction == firewall.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
flow_template['dl_dst'] = port.mac
flow_template['actions'] = "output:{:d}".format(port.ofport)
flow_template['actions'] = "strip_vlan,output:{:d}".format(port.ofport)
elif direction == firewall.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
flow_template['dl_src'] = port.mac

4
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
View File

@ -374,8 +374,8 @@ class TestOVSFirewallDriver(base.BaseTestCase):
priority=90,
table=ovs_consts.LOCAL_SWITCHING)
filter_rule = mock.call(
actions='output:{:d},ct(commit,zone=NXM_NX_REG6[0..15])'.format(
self.port_ofport),
actions='ct(commit,zone=NXM_NX_REG6[0..15]),'
'strip_vlan,output:{:d}'.format(self.port_ofport),
dl_dst=self.port_mac,
dl_type="0x{:04x}".format(constants.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_TCP,

2
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
View File

@ -185,7 +185,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
expected_flows = [{
'table': ovs_consts.RULES_INGRESS_TABLE,
'dl_dst': self.port.mac,
'actions': 'output:1',
'actions': 'strip_vlan,output:1',
'nw_proto': constants.PROTO_NUM_TCP,
}]
self._test_create_protocol_flows_helper(