Commit Graph

27 Commits (0634dcc6d0f08c18c69a2c360a2c5c0581ec7bb6)

Author SHA1 Message Date
Ihar Hrachyshka 4aeec20001 Drop of_interface option
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.

Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <>
Co-Authored-By: Slawek Kaplonski <>
4 years ago
Boden R 9bbe9911c4 remove neutron.common.constants
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.


Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
4 years ago
Jakub Libosvar 8b2c40366b ovs-fw: Apply openflow rules immediately during update
Because update operation updates openflow rules three times:
 1) New rules with new cookie
 2) Delete old rules with old cookie
 3) Change new cookie back to old cookie

and the step 2) uses --strict parameter, it's needed to apply rules
before deleting the old rules because --strict parameter cannot be
combined with non-strict. This patch applies openflow rules after
step 1), then --strict rules in step 2 are applied right away and then
rest of delete part from 2) and all new rules from 3) are applied

This patch adds optional interval parameter to Pinger class which sends
more ICMP packets per second in the firewall blink tests to increase a
chance of sending a packet while firewall is in inconsistent state.

Change-Id: I25d9c87225feda1b5ddd442dd01529424186e05b
Closes-bug: #1708731
5 years ago
Boden R d55e824310 use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib
The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib
now. This patch removes them from neutron and uses lib's version of


Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9
5 years ago
Jakub Libosvar 6370a04710 ovsfw: Fix overlapping MAC addresses on integration bridge
The patch relies on the fact that traffic not going from instance
(and thus port not managed by firewall) is tagged. Traffic coming from
the instance is not tagged and thus net register is used for marking
such traffic. These two approaches make matching rules unique even if
two ports from different networks share its' mac addressess.

Traffic coming from trusted ports is marked with network in registry
so firewall can decide later to which network traffic belongs.

Closes-bug: #1626010

Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c
6 years ago
Jakub Libosvar d559cd53e8 ovs-fw: Use TRANSIENT table for traffic classification
Commit ce8a0b2b7d introduces a TRANSIENT
table where all traffic local to br-int is sent after it's been
preprocessed by other features using openflow. This patch adopts the

Change-Id: Ic66c186ab73bad6fcd133f2b9d15e07fd0eebb33
Related-bug: #1696983
6 years ago
Kevin Benton c76164c058 Move conntrack zones to IPTablesFirewall
The regular IPTablesFirewall needs zones to support safely
clearly conntrack entries.

In order to support the single bridge use case, the conntrack
manager had to be refactored slightly to allow zones to be
either unique to ports or unique to networks.

Since all ports in a network share a bridge in the IPTablesDriver
use case, a zone per port cannot be used since there is no way
to distinguish which zone traffic should be checked against when
traffic enters the bridge from outside the system.

A zone per network is adequate for the single bridge per network
solution since it implicitly does not suffer from the double-bridge
cross in a single network that led to per port usage in OVS.[1]

This had to adjust the functional firewall tests to use the correct
bridge name now that it's relevant in the non hybrid IPTables case.

1. Ibe9e49653b2a280ea72cb95c2da64cd94c7739da

Closes-Bug: #1668958
Closes-Bug: #1657260
Change-Id: Ie88237d3fe4807b712a7ec61eb932748c38952cc
6 years ago
Brian Haley bd64327007 Change in-tree code to use moved get_ip_version()
Now that get_ip_version() is in common/,
change all in-tree users to use it and not
generate removal warnings.


Change-Id: I623a10f3a52f80b650e5410df8b03729eb823134
6 years ago
Jakub Libosvar a66c271935 ovsfw: Raise exception if tag cannot be found in other_config
Previously, if tag was not present in other_config obtained from ovsdb
for any reason, DEAD VLAN tag was used. This is not smart at all as it
puts all conntrack entries to one point. Also tag is mandatory and if
other_config doesn't contain it, it's a huge mistake that should never

Change-Id: I91ab75b52b70dbba4c7823550bfdfe0ab9396336
Related-bug: 1564947
7 years ago
Jakub Libosvar 2e5b4cb1f9 functional: Pass string tag to other_config
other_config is a map type expecting {"string": "string", } values.
This patch makes sure string is passed when setting VLAN tag in

Change-Id: Ie7af248b4609524631770f76398d06d8092c0f9d
Closes-bug: 1643484
7 years ago
Jakub Libosvar f0439a04ad fullstack: VLAN aware VMs test
Patch tests basic life-cycle of a trunk associated with a port. Test
creates a trunk with one subport - this tests interaction between
agent and ovsdb handler that calls via RPC to server.
Later a new subport is added which tests RPC interaction between
server and agent. Then deletes the first created subport. Finally trunk
is removed and checked that no patch ports remain on the integration

Future work:
 - Run this test with linuxbridge
 - Test re-using port associated with trunk.
 - Test re-using subports.
 - Test with OVS firewall.

Partially-implements: blueprint vlan-aware-vms
Change-Id: Ie79a010e6751c1f1c2be5b1bf52511b9e100ad20
7 years ago
Jenkins d8f811df78 Merge "Fix unbalanced-tuple-unpacking pylint error in conn_testers" 7 years ago
Jakub Libosvar 6267a6e8de Fix unbalanced-tuple-unpacking pylint error in conn_testers
The error can be triggered by running "tox -epep8 HEAD~1" while having a
change in conn_testers module.


Change-Id: I7c684c9b6c97f6974e0c71739e068598c9b0e7f0
7 years ago
Jakub Libosvar 2618726458 functional: Make trunk tests more robust
New methods for connection tester are introduced in this patch. They
send certain amount of icmp packets and then compare the results, so we
succeed in positive tests only when all packets were replied. We succeed
in negative tests only when all packets were lost. Both approaches are
wrapped by actively waiting for successful result so we don't fail in
case where we test connectivity while resources are not wired yet.

This change is a followup to to
improve stability of its functional tests.

Closes-Bug: 1617319

Change-Id: I907ebd790f4ba3b4ecb0dce711c9f7d2c5244765
7 years ago
rossella 35ffbed6f7 TrunkManager for the OVS agent
This patch introduces the TrunkManager for the OVS
agent. This class is responsible for wiring the trunk
and the subports.

Partially-implements: blueprint vlan-aware-vms
Co-Authored-By: Jakub Libosvar <>

Change-Id: I498560798983177ce7b64e1a8f32f1a157558897
7 years ago
Henry Gessau 4148a347b3 Use constants from neutron-lib
With this we enable the deprecation warnings by default.

Related-Blueprint: neutron-lib

Change-Id: I5b9e53751dd164010e5bbeb15f534ac0fe2a5105
7 years ago
Jakub Libosvar dabd969090 ovsfw: Load vlan tag from other_config
OVS agent stores vlan tag only to other_config before
setup_port_filter() is called [1], leaving 'tag' column empty. This
patch loads tag from correct place and modifies functional tests

Closes-Bug: 1566934
[1] 1efed3a532/neutron/plugins/ml2/drivers/openvswitch/agent/ (L821)

Change-Id: Iaae46ce7362fedfc53af958600d6d712eb382e9f
7 years ago
Jakub Libosvar 4f6aa3ffde ovs-fw: Mark conntrack entries invalid if no rule is matched
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.

Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
7 years ago
Jakub Libosvar 420d5c7987 conn_testers: Bump timeout for ICMPv6 echo tests
In IPv6 scenarios NDP can increase round-trip time of ICMPv6 packets over
1 seconds. The patch increases timeout for ICMPv6 to 2 seconds. Note
that this will extend scenarios when ping is supposed to fail.

Change-Id: Iec7d3138aee3fc904312dbc45ef76854ad0ea789
Closes-Bug: 1557946
7 years ago
Jakub Libosvar cd84563623 security-groups: Add ipv6 support to ovs firewall
Closes-bug: 1547616
Change-Id: I8f925afa50f36d073f52bd03954939ca14c505d7
7 years ago
Assaf Muller 544753b211 Revert "tests: Collect info on failure of conn_tester"
More info in bug report. I suggest we first revert, then
re-introduce the collect_debug_info patch with a different
approach. I suspect the fix is not trivial if indeed ordering
is an issue and the namespaces are cleaned up before
collect_debug_info is fired.

Related-Bug: #1548547
Change-Id: Ice93abbc6e143cdbb90e7d41d1be86dc9eb05006
7 years ago
Jakub Libosvar ef29f7eb9a Open vSwitch conntrack based firewall driver
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see

As part of this new entry points for current reference firewalls were

in openvswitch_agent.ini:
    - in securitygroup section set firewall_driver to openvswitch

Closes-bug: #1461000

Co-Authored-By: Miguel Angel Ajo Pelayo <>
Co-Authored-By: Amir Sadoughi <>

Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
7 years ago
Jakub Libosvar 66503bd90d tests: Use constants for icmp and arp in conn_testers
Change-Id: I417f88b51dae369310710d359e0f602df9404cb1
7 years ago
Jakub Libosvar 00ffb557d6 tests: Collect info on failure of conn_tester
Whenever instance of ConnectionTester raises ConnectionTesterException
then custom info is collected and printed into debug log. This is useful
for debugging non-deterministic gate failures.

Change-Id: Ie886dec9c0e805fa8710af8ae3cb70855fd4ad29
7 years ago
Jakub Libosvar a459950da3 Add firewall blink + remote SG functional tests
This tests that firewall still does its purpose even when rules are
being updated. That means there is no short period of time where
security groups are inactive during update.

Part of this patch introduces Pinger class. This object provides
capability of sending ICMP packets asynchronously and after
it's stopped it provides statistics like how many packets were
sent and how many were received. Note the difference between
assert_ping() functions, which are synchronous.

Another testing of remote security groups is also added.

Related-bug: #1461000
Change-Id: I6251ee264396f8dbc9b284758b96e5cdc6ac500b
8 years ago
Edgar Magana e12851f2df Fix typos in neutron code
Fix typos found in neutron code and docs

Change-Id: I4afc3a4b36dd47d47d1238ac22e7f09e2d75050d
Related-Bug: #1424139
8 years ago
Jakub Libosvar 2759f130b4 Introduce connection testers module
This module provides tools for testing simple connectivity between two
endpoints via given technology. Current patch implements endpoints
connected through either linux bridge or openvswitch bridge.
Connectivity can be tested using icmp, arp, tcp and udp protocols.

Change-Id: I00e19fd9b80dc6f6743eb735523bd8f5ff096136
8 years ago