From f2caa7c8231a233b83948aa50180ddfcef87f582 Mon Sep 17 00:00:00 2001 From: Thomas Morin Date: Fri, 7 Apr 2017 11:30:59 +0200 Subject: [PATCH] OVS firewall: do strip_vlan in TRANSIENT_TABLE This change moves the strip_vlan action from RULES_INGRESS/82 to TRANSIENT_TABLE after the point where the traffic from local VM ports has been moved to BASE_EGRESS. A reason for this move is that strip_vlan is only needed for traffic *not* coming from VM ports and coming on a patch port from br-*, and that it is hence simpler do do the strip_vlan in TRANSIENT_TABLE rather than in mutliple places that also happen to be common with traffic from local VMs. This change also addresses another need: I16a35b5d6c54901899d24fc94bd3438c1f1be05e results in add_flow being possibly done with an Openflow version higher than OF1.0. The strip_action as currently done is not compatible with OF>1.0, because later versions require matching on dl_vlan first (the "strip vlan if there is one" behavior of OF1.0 is not supported anymore). For this reason this change adds a match on dl_vlan for the strip_vlan rule. Change-Id: I76ee34a614237bbc99989ce9c1b96a30456be282 --- neutron/agent/linux/openvswitch_firewall/firewall.py | 10 +++++----- neutron/agent/linux/openvswitch_firewall/rules.py | 2 +- .../agent/linux/openvswitch_firewall/test_firewall.py | 4 ++-- .../agent/linux/openvswitch_firewall/test_rules.py | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 31f4eabe7b4..c86bab4642e 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -561,7 +561,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_dst=port.mac, actions='set_field:{:d}->reg{:d},' 'set_field:{:d}->reg{:d},' - 'resubmit(,{:d})'.format( + 'strip_vlan,resubmit(,{:d})'.format( port.ofport, ovsfw_consts.REG_PORT, port.vlan_tag, @@ -777,7 +777,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_type=constants.ETHERTYPE_IPV6, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, icmp_type=icmp_type, - actions='strip_vlan,output:{:d}'.format(port.ofport), + actions='output:{:d}'.format(port.ofport), ) def _initialize_ingress(self, port): @@ -788,7 +788,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_type=constants.ETHERTYPE_ARP, reg_port=port.ofport, dl_dst=port.mac, - actions='strip_vlan,output:{:d}'.format(port.ofport), + actions='output:{:d}'.format(port.ofport), ) self._initialize_ingress_ipv6_icmp(port) @@ -804,7 +804,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): nw_proto=lib_const.PROTO_NUM_UDP, tp_src=src_port, tp_dst=dst_port, - actions='strip_vlan,output:{:d}'.format(port.ofport), + actions='output:{:d}'.format(port.ofport), ) # Track untracked @@ -856,7 +856,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=state, ct_mark=ovsfw_consts.CT_MARK_NORMAL, ct_zone=port.vlan_tag, - actions='strip_vlan,output:{:d}'.format(port.ofport) + actions='output:{:d}'.format(port.ofport) ) self._add_flow( table=ovs_consts.RULES_INGRESS_TABLE, diff --git a/neutron/agent/linux/openvswitch_firewall/rules.py b/neutron/agent/linux/openvswitch_firewall/rules.py index 8c64f613371..65d2470d286 100644 --- a/neutron/agent/linux/openvswitch_firewall/rules.py +++ b/neutron/agent/linux/openvswitch_firewall/rules.py @@ -78,7 +78,7 @@ def populate_flow_common(direction, flow_template, port): if direction == firewall.INGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE flow_template['dl_dst'] = port.mac - flow_template['actions'] = "strip_vlan,output:{:d}".format(port.ofport) + flow_template['actions'] = "output:{:d}".format(port.ofport) elif direction == firewall.EGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE flow_template['dl_src'] = port.mac diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py index e3c45178971..f37ff7dbf3b 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py @@ -472,7 +472,7 @@ class TestOVSFirewallDriver(base.BaseTestCase): table=ovs_consts.TRANSIENT_TABLE) exp_ingress_classifier = mock.call( actions='set_field:{:d}->reg5,set_field:{:d}->reg6,' - 'resubmit(,{:d})'.format( + 'strip_vlan,resubmit(,{:d})'.format( self.port_ofport, TESTING_VLAN_TAG, ovs_consts.BASE_INGRESS_TABLE), dl_dst=self.port_mac, @@ -480,7 +480,7 @@ class TestOVSFirewallDriver(base.BaseTestCase): table=ovs_consts.TRANSIENT_TABLE) filter_rule = mock.call( actions='ct(commit,zone=NXM_NX_REG6[0..15]),' - 'strip_vlan,output:{:d}'.format(self.port_ofport), + 'output:{:d}'.format(self.port_ofport), dl_dst=self.port_mac, dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), nw_proto=constants.PROTO_NUM_TCP, diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py index fd40e8825ae..65d97144a2b 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py @@ -187,7 +187,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): expected_flows = [{ 'table': ovs_consts.RULES_INGRESS_TABLE, 'dl_dst': self.port.mac, - 'actions': 'strip_vlan,output:1', + 'actions': 'output:1', 'nw_proto': constants.PROTO_NUM_TCP, }] self._test_create_protocol_flows_helper( @@ -368,7 +368,7 @@ class TestCreateConjFlows(base.BaseTestCase): flows[0]['ct_state']) self.assertEqual(ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, flows[1]['ct_state']) - self.assertEqual("strip_vlan,output:{:d}".format(port.ofport), + self.assertEqual("output:{:d}".format(port.ofport), flows[0]['actions']) self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}".format( ovsfw_consts.REG_NET, flows[0]['actions']),