From 9a1c830552ab1d762679351c3f182a9c7dc76d50 Mon Sep 17 00:00:00 2001 From: Moshe Levi Date: Tue, 29 Sep 2020 00:58:54 +0300 Subject: [PATCH] ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled In RULES_INGRESS_TABLE table 82 there is a rule for allow established and related connections. The current rule sends the packet directly to the dest port without doing a mac learning. This is causing ovs to age out the dest mac of the remote VM and causing the rule to be changed in flood rule. For the normal case it fine as they try to avoid high cpu. ovs hardware offload reduce cpu usage by moving some of the packet processing to nic and flood rule is not offloaded, therefore it prefre to use the NORMAL action to avoid the flood rule. We also keep the same logic as today when using explicitly_egress_direct=True which avoid NORMAL action in the entire pipeline. Closes-Bug: #1897637 Change-Id: I9b611d62be5d0529e8b35e3d8280baa5be54bc2b (cherry picked from commit 8fc80b7e132031d18c787b5be582c146d262de74) --- .../agent/linux/openvswitch_firewall/firewall.py | 14 +++++++++++++- ...ning-in-case--ovs-offload-26193bf1638fd673.yaml | 10 ++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index d589257db36..777bedfe5a2 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -1311,6 +1311,18 @@ class OVSFirewallDriver(firewall.FirewallDriver): actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE ) + # NOTE: The OUTPUT action is used instead of NORMAL action to reduce + # cpu utilization, but it causes the datapath rule to be flood rule. + # This is due to mac learning not happened on ingress traffic. + # While this is ok for no offload case, in ovs offload flood rule + # is not offloaded. Therefore, we change the action to be NORMAL in + # offload case. In case the explicitly_egress_direct is used the + # pipeline don't contain action NORMAL so we don't have flood rule + # issue. + actions = 'output:{:d}'.format(port.ofport) + if (self.int_br.br.is_hw_offload_enabled and + not cfg.CONF.AGENT.explicitly_egress_direct): + actions = 'mod_vlan_vid:{:d},normal'.format(port.vlan_tag) # Allow established and related connections for state in (ovsfw_consts.OF_STATE_ESTABLISHED_REPLY, ovsfw_consts.OF_STATE_RELATED): @@ -1321,7 +1333,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=state, ct_mark=ovsfw_consts.CT_MARK_NORMAL, ct_zone=port.vlan_tag, - actions='output:{:d}'.format(port.ofport) + actions=actions ) self._add_flow( table=ovs_consts.RULES_INGRESS_TABLE, diff --git a/releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml b/releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml new file mode 100644 index 00000000000..2feaa20637c --- /dev/null +++ b/releasenotes/notes/fix-mac-learning-in-case--ovs-offload-26193bf1638fd673.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce + the usage of normal actions to reduce cpu utilization. This causing flood + rule because there is no MAC learning on ingress traffic. While this ok + for none offload case, when using ovs offload flood rule is not + offloaded. This fix the MAC learning in the offload, so we avoid flood + rule. + `#1897637 `_. \ No newline at end of file