Browse Source

raise priority of dead vlan drop

- This change adds a max priority flow to drop
  all traffic that is associated with the
  DEAD VLAN 4095.
- This change is part of a partial mitigation of
  bug 1734320. Without this change vlan 4095 traffic
  will be dropped via a low priority flow after being
  processed by part/all of the openflow pipeline.
  By raising the priorty and droping in table 0
  we drop invalid packets as soon as they enter
  the pipeline.

Change-Id: I3482c7c4f00942828cc9396cd2f3d646c9e8c9d1
Partial-Bug: #1734320
changes/09/616609/2
Sean Mooney 4 years ago
parent
commit
e3dc447b90
  1. 2
      neutron/plugins/ml2/drivers/openvswitch/agent/common/constants.py
  2. 3
      neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
  3. 3
      neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_int.py
  4. 7
      neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
  5. 2
      neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/test_br_int.py

2
neutron/plugins/ml2/drivers/openvswitch/agent/common/constants.py

@ -153,6 +153,8 @@ OPENFLOW13 = "OpenFlow13"
OPENFLOW14 = "OpenFlow14"
OPENFLOW15 = "OpenFlow15"
OPENFLOW_MAX_PRIORITY = 65535
# A placeholder for dead vlans.
DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1

3
neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py

@ -43,6 +43,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
self.install_drop(table_id=constants.LOCAL_SWITCHING,
priority=constants.OPENFLOW_MAX_PRIORITY,
vlan_vid=constants.DEAD_VLAN_TAG)
def setup_canary_table(self):
self.install_drop(constants.CANARY_TABLE)

3
neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_int.py

@ -37,6 +37,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
self.install_drop(table_id=constants.LOCAL_SWITCHING,
priority=constants.OPENFLOW_MAX_PRIORITY,
dl_vlan=constants.DEAD_VLAN_TAG)
def setup_canary_table(self):
self.install_drop(constants.CANARY_TABLE)

7
neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py

@ -68,6 +68,13 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
priority=0,
table_id=24),
active_bundle=None),
call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp,
instructions=[],
match=ofpp.OFPMatch(vlan_vid=4095),
priority=65535,
table_id=0),
active_bundle=None),
]
self.assertEqual(expected, self.mock.mock_calls)

2
neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/test_br_int.py

@ -37,6 +37,8 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
call.add_flow(priority=3, table=60, actions='normal'),
call.add_flow(priority=0, table=24, actions='drop'),
call.add_flow(actions='drop', dl_vlan=4095,
priority=65535, table=0)
]
self.assertEqual(expected, self.mock.mock_calls)

Loading…
Cancel
Save