Merge "ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled" into stable/stein
This commit is contained in:
commit
fbf087a79c
|
@ -1311,6 +1311,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# NOTE: The OUTPUT action is used instead of NORMAL action to reduce
|
||||||
|
# cpu utilization, but it causes the datapath rule to be flood rule.
|
||||||
|
# This is due to mac learning not happened on ingress traffic.
|
||||||
|
# While this is ok for no offload case, in ovs offload flood rule
|
||||||
|
# is not offloaded. Therefore, we change the action to be NORMAL in
|
||||||
|
# offload case. In case the explicitly_egress_direct is used the
|
||||||
|
# pipeline don't contain action NORMAL so we don't have flood rule
|
||||||
|
# issue.
|
||||||
|
actions = 'output:{:d}'.format(port.ofport)
|
||||||
|
if (self.int_br.br.is_hw_offload_enabled and
|
||||||
|
not cfg.CONF.AGENT.explicitly_egress_direct):
|
||||||
|
actions = 'mod_vlan_vid:{:d},normal'.format(port.vlan_tag)
|
||||||
# Allow established and related connections
|
# Allow established and related connections
|
||||||
for state in (ovsfw_consts.OF_STATE_ESTABLISHED_REPLY,
|
for state in (ovsfw_consts.OF_STATE_ESTABLISHED_REPLY,
|
||||||
ovsfw_consts.OF_STATE_RELATED):
|
ovsfw_consts.OF_STATE_RELATED):
|
||||||
|
@ -1321,7 +1333,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||||
ct_state=state,
|
ct_state=state,
|
||||||
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
|
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
|
||||||
ct_zone=port.vlan_tag,
|
ct_zone=port.vlan_tag,
|
||||||
actions='output:{:d}'.format(port.ofport)
|
actions=actions
|
||||||
)
|
)
|
||||||
self._add_flow(
|
self._add_flow(
|
||||||
table=ovs_consts.RULES_INGRESS_TABLE,
|
table=ovs_consts.RULES_INGRESS_TABLE,
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce
|
||||||
|
the usage of normal actions to reduce cpu utilization. This causing flood
|
||||||
|
rule because there is no MAC learning on ingress traffic. While this ok
|
||||||
|
for none offload case, when using ovs offload flood rule is not
|
||||||
|
offloaded. This fix the MAC learning in the offload, so we avoid flood
|
||||||
|
rule.
|
||||||
|
`#1897637 <https://bugs.launchpad.net/neutron/+bug/1897637>`_.
|
Loading…
Reference in New Issue