Commit Graph

38 Commits (1c2e10f8595d2286bd9bec513bc5a346a84a6f7c)

Author SHA1 Message Date
Ihar Hrachyshka 4aeec20001 Drop of_interface option
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.

Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <>
Co-Authored-By: Slawek Kaplonski <>
4 years ago
Boden R 9bbe9911c4 remove neutron.common.constants
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.


Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
4 years ago
Brian Haley cf37563c83 Remove deprecated vsctl ovsdb_interface api
This was deprecated in
so remove all the vsctl-related code, leaving just the native
ovsdb api.

Also removed renamed ovs_vsctl_timeout value, which was changed
to ovsdb_timeout in

Change-Id: I50dfcea3deb41df1bd01fd06b76522453a6ba50b
5 years ago
Zuul 07093607a7 Merge "ovs-fw: Fix firewall blink" 5 years ago
Zuul ade1c606a9 Merge "ovs-fw: Clear conntrack information before egress pipeline" 5 years ago
Jakub Libosvar 6f7ba76075 ovs-fw: Fix firewall blink
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.

This patch adds a new mechanism using cookie that can be described in
three states:

1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.

Change-Id: I85d9e49c24ee7c91229b43cd329c42149637f254
Closes-bug: #1708731
5 years ago
Jakub Libosvar 3327db80be ovs-fw: Clear conntrack information before egress pipeline
In case where Neutron logical port is placed directly to hypervisor,
hypervisor does a conntrack lookup before packets reach OVS integration
bridge. This patch introduces a rule with high priority that is placed
at the beginning of the egress pipeline. This rule removes conntrack
information from all packets if conntrack information is present. Then
packets continue in the egress pipeline.

That means all packets in egress pipeline are not tracked and ovs
firewall can do a lookup in correct zone. As for ingress pipeline, it
distinguishes between tracked - which are packets coming from egress
pipeline, and not tracked, which are inbound packets coming not from a
local port.

Change-Id: Ia4f524adce2b5ee6d98d3921cfb03d56ad6d0813
Closes-bug: #1747082
5 years ago
Boden R d55e824310 use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib
The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib
now. This patch removes them from neutron and uses lib's version of


Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9
5 years ago
Nguyen Phuong An dc5293bba6 [log]: functional test for logging api
This patch performs functional test for logging api. The
implementation is based on the logging api for security group spec[1]


Change-Id: I157bdffe29b184c9e31166586f94eac7fa00188e
Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
5 years ago
jufeng b7892b16b2 ovsfw: fix allowed_address_pairs MAC issue
Current ovsfw implementation does not take care of the different
MACs in allowed_address_pairs with the VM's MAC.
This patch use the following method to fix this issue:
1. Do not check dl_src in table=72 because table=71 has checked
dl_src for Egress.
2. Add all allowed MACs in table=0 and table=73 for Ingress.
3. Do not check dl_dst in table=82 because this check has done
in table=0 and table=73.
4. Delete allowed MACs in table=0 and table=73 when needed.

Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
Closes-Bug: #1697593
6 years ago
Jakub Libosvar 6370a04710 ovsfw: Fix overlapping MAC addresses on integration bridge
The patch relies on the fact that traffic not going from instance
(and thus port not managed by firewall) is tagged. Traffic coming from
the instance is not tagged and thus net register is used for marking
such traffic. These two approaches make matching rules unique even if
two ports from different networks share its' mac addressess.

Traffic coming from trusted ports is marked with network in registry
so firewall can decide later to which network traffic belongs.

Closes-bug: #1626010

Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c
6 years ago
Ihar Hrachyshka 26b4c5606c python3: convert range object to list before comparing with a list
In python3, calling range() doesn't produce a list, but an iterable. We
need to explicitly convert it to a list, otherwise we get an error:

MismatchError: range(5, 16) != [5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]

Change-Id: Ie55c0d0a98a2b81c237ef42a55f7ce4b129828fb
6 years ago
Jenkins 8d509cd2f8 Merge "Handle CIDR IP address in allowed address pairs" 6 years ago
Ravi Kota 864a8a7ce8 Handle CIDR IP address in allowed address pairs
A CIDR IP address in allowed address pairs causing init
and update operation failures on OFPort.
This is because those operations are not handling CIDR IP addresses.

This patch fixes that problem.

Change-Id: Ic4513859364403555e13593fb34bd2e58ea6377b
Closes-Bug: #1652729
6 years ago
Kevin Benton c76164c058 Move conntrack zones to IPTablesFirewall
The regular IPTablesFirewall needs zones to support safely
clearly conntrack entries.

In order to support the single bridge use case, the conntrack
manager had to be refactored slightly to allow zones to be
either unique to ports or unique to networks.

Since all ports in a network share a bridge in the IPTablesDriver
use case, a zone per port cannot be used since there is no way
to distinguish which zone traffic should be checked against when
traffic enters the bridge from outside the system.

A zone per network is adequate for the single bridge per network
solution since it implicitly does not suffer from the double-bridge
cross in a single network that led to per port usage in OVS.[1]

This had to adjust the functional firewall tests to use the correct
bridge name now that it's relevant in the non hybrid IPTables case.

1. Ibe9e49653b2a280ea72cb95c2da64cd94c7739da

Closes-Bug: #1668958
Closes-Bug: #1657260
Change-Id: Ie88237d3fe4807b712a7ec61eb932748c38952cc
6 years ago
Nam Nguyen Hoai ada4237905 Fix typos
There are some wrong words, it should be updated.

Change-Id: Ia42df71eb16a8ab31d56b9371b738473f980fd82
6 years ago
Jakub Libosvar 54beb5e14e functional: Use VLAN tags from range <1; 4094>
Previously, we generated set of usable VLAN tags in the range <0; 4095>.
0 can be match with OpenFlow rules for empty VLAN tag header and 4095
fails to be added to VLAN interface with RTNETLINK error.

Change-Id: I642abe5a40ef303efc2206df9b2d397b0d271200
Closes-bug: 1643319
7 years ago
Jenkins 9bbff7bbba Merge "ovsfw: fix troublesome port_rule_masking" 7 years ago
Inessa Vasilevskaya 0494f212aa ovsfw: fix troublesome port_rule_masking
In several cases port masking algorithm borrowed
from networking_ovs_dpdk didn't behave correctly.
This caused non-restricted ports to be open due to
wrong tp_src field value in resulting ovs rules.

This was fixed by alternative port masking

Functional and unit tests to cover the bug added as well.

Co-Authored-By: Jakub Libosvar <>
Co-Authored-By: IWAMOTO Toshihiro <>

Closes-Bug: #1611991
Change-Id: Idfc0e9c52e0dd08852c91c17e12edb034606a361
7 years ago
Jenkins 5df6abbbf0 Merge "TrunkManager for the OVS agent" 7 years ago
rossella 35ffbed6f7 TrunkManager for the OVS agent
This patch introduces the TrunkManager for the OVS
agent. This class is responsible for wiring the trunk
and the subports.

Partially-implements: blueprint vlan-aware-vms
Co-Authored-By: Jakub Libosvar <>

Change-Id: I498560798983177ce7b64e1a8f32f1a157558897
7 years ago
Jenkins 43233cc6f4 Merge "Refactoring security group config options" 7 years ago
Ihar Hrachyshka e2abdd4e0b tests: added missing space in a skip test message

Change-Id: Iaee98e77fb65e344e11e61790d3619964c4bc984
7 years ago
sindhu devale 39aedaf745 Refactoring security group config options
Refactoring neutron security grp config opts to be in
neutron/conf/agent so that all the configuration options
reside in a centralized location. This simplifies the
process of looking up the config opts and provides an
easy way to import.

Change-Id: Ia9538f41dfd894ed55c1db1556b37aad09ad2ae1
Partial-Bug: #1563069
7 years ago
Inessa Vasilevskaya bffc5f062c functional: fix OVSFW failure with native OVSDB api
A bunch of functional tests fail because of non implemented
x != [] operation in idlutils.condition_match() and
wrong condition passed to db_find() in OVSFW test.
This patch addresses the issue by implementing lists
comparison in native.idlutils and fixing the call to
db_find() in OVSFW test.

A functional test for OVSDB API's db_find() has been
added to ensure that querying a list column gives the same
result both with vsctl and native ovsdb_interface; unit
test for idlutils.condition_match() with corner cases has
been added as well.

Change-Id: Ia93fb925b8814210975904a453249f15f3646855
Closes-bug: #1578233
7 years ago
Jakub Libosvar bb87e58dab functional: Run OVSFW tests with ovsdb native interface
With this patch functional tests for ovs firewall with run with both
vsctl and native ovsdb interface.

Change-Id: I8339d7a43a449973641922a86836f0231d22bb8f
7 years ago
Dustin Lundquist a8a9d225d8 IPtables firewall prevent ICMPv6 spoofing
IPv6 includes the concept of link-local addresses. There are address
within the fe80::/64 prefix which are used only within the local layer 2
network. They should never be routed. DHCPv6 is one of several protocols
which utilize link-local addresses.

Previously the blanket permit DHCPv6 rule permitted DHCPv6 requests from
a link-local source, before the source address was validated.

The structure of the IPtables egress firewall is:

  a. fixed rules for special traffic
  b. validate source address
  c. fixed rules necessary for host to function
  d. user rules defined by security groups

This change restricts the special traffic permitted in part (a) to only
that traffic which utilizes the "unspecified address" (::), by moving
the fixed permit ICMPv6 and DHCPv6 rules to part (c), so they are
applied after the source address has been validated. In order to enable
DHCPv6 and other protocols utilizing link-local addresses, the
link-local address corresponding to each MAC address are included in the
permitted source addresses. After the source address is verified, the
fixed rules permit ICMPv6 and DHCPv6, then the user defined security
group rules are applied.

In the existing implementation ICMPv6 and DHCPv6 rules in the fixed
ip6tables firewall rules are too permissive: they permit ICMPv6 and
DHCPv6 traffic, regardless of source MAC or IPv6 address. These rules
where intended to allow a host to acquire an IPv6 address, but
inadvertently allowed a malicious or compromised host to spoof another's
MAC or IPv6 address.

A host acquiring an IPv6 address should preform DAD (duplicate address
detection). To preform this the host must join the multicast group
corresponding to the tentative IPv6 address and the all nodes multicast
group. To join these groups the host sends ICMP MLD (multicast listener
discovery) report messages before it has an IPv6 address assigned, so
the unspecified address is used as the source address. To complete DAD,
ICMP neighbor solicitation messages are sent to solicit if any nodes
using that address. This should be the only use of the unspecified IPv6
address as a source address. The IPv4 case is similar the unspecified
address is used for DHCP discovery and request messages.

To summarize, this patch permits only ICMPv6 traffic from the unspecified
address which is used for duplicate address detection. Then it enforces
the source IPv6 and MAC addresses and finally, allows only ICMPv6 traffic
which has passed this source address validation.

In addition this patch permits traffic from all link-local addresses
associated with each MAC address assigned to the port. This is required
by many IPv6 protocols, such as DHCPv6, which depend on the link-local
addresses. This traffic was previously allowed by the blanket allow
ICMPv6 and allow DHCPv6 rules before the source address was validated.

Finally, it includes a functional test for IPv6 spoofing using both
ICMPv6 and DHCPv6 traffic. OVSFirewall currently permits this spoofed
DHCPv6 traffic. I'm excluding the OVSFirewall implementation from test
so it can be fixed in a follow on patch.

Change-Id: Ice1c9dd349864da28806c5053e38ef86f43b7771
Partial-Bug: 1502933
7 years ago
Henry Gessau 4148a347b3 Use constants from neutron-lib
With this we enable the deprecation warnings by default.

Related-Blueprint: neutron-lib

Change-Id: I5b9e53751dd164010e5bbeb15f534ac0fe2a5105
7 years ago
Jakub Libosvar c3f6bf5297 Skip firewall blink test for ovs-fw
We need to start using bundles first for ofctl operations.

Change-Id: Ia67c97bfa0fe03ca976be2330c9a66a85f988ceb
Related-Bug: 1569621
7 years ago
Dustin Lundquist 6a93ee8ac1 Iptables firewall prevent IP spoofed DHCP requests
The DHCP rules in the fixed iptables firewall rules were too permissive.
They permitted any UDP traffic with a source port of 68 and destination
port of 67. Care must be taken since these rules return before the IP
spoofing prevention rules. This patch splits the fixed DHCP rules into
two, one for the discovery and request messages which take place before
the instance has bound an IP address and a second to permit DHCP

Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
Partial-Bug: #1558658
7 years ago
Jakub Libosvar 4f6aa3ffde ovs-fw: Mark conntrack entries invalid if no rule is matched
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.

Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
7 years ago
Jakub Libosvar cd84563623 security-groups: Add ipv6 support to ovs firewall
Closes-bug: 1547616
Change-Id: I8f925afa50f36d073f52bd03954939ca14c505d7
7 years ago
Assaf Muller 544753b211 Revert "tests: Collect info on failure of conn_tester"
More info in bug report. I suggest we first revert, then
re-introduce the collect_debug_info patch with a different
approach. I suspect the fix is not trivial if indeed ordering
is an issue and the namespaces are cleaned up before
collect_debug_info is fired.

Related-Bug: #1548547
Change-Id: Ice93abbc6e143cdbb90e7d41d1be86dc9eb05006
7 years ago
Jakub Libosvar ef29f7eb9a Open vSwitch conntrack based firewall driver
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see

As part of this new entry points for current reference firewalls were

in openvswitch_agent.ini:
    - in securitygroup section set firewall_driver to openvswitch

Closes-bug: #1461000

Co-Authored-By: Miguel Angel Ajo Pelayo <>
Co-Authored-By: Amir Sadoughi <>

Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
7 years ago
Jakub Libosvar 00ffb557d6 tests: Collect info on failure of conn_tester
Whenever instance of ConnectionTester raises ConnectionTesterException
then custom info is collected and printed into debug log. This is useful
for debugging non-deterministic gate failures.

Change-Id: Ie886dec9c0e805fa8710af8ae3cb70855fd4ad29
7 years ago
Bhagyashri Shewale 88e899f7a0 Fix module's import order
Made corrections in import order for built-in, third party and
project specific modules as per OpenStack import standards [1].


Change-Id: I899deefd6ee4732d6c0afd17a5afbe42b0fa37ba
7 years ago
Jakub Libosvar a459950da3 Add firewall blink + remote SG functional tests
This tests that firewall still does its purpose even when rules are
being updated. That means there is no short period of time where
security groups are inactive during update.

Part of this patch introduces Pinger class. This object provides
capability of sending ICMP packets asynchronously and after
it's stopped it provides statistics like how many packets were
sent and how many were received. Note the difference between
assert_ping() functions, which are synchronous.

Another testing of remote security groups is also added.

Related-bug: #1461000
Change-Id: I6251ee264396f8dbc9b284758b96e5cdc6ac500b
8 years ago
Jakub Libosvar a94777a005 Add test cases to testing firewall drivers
Part of this patch is also preparation for having common test plan for
firewall driver testing.

Following test cases were implemented:
 - dhcp works by default
 - dhcp server is prevented on vm by default
 - ip spoofing from vm
 - allowed address pairs allows traffic to given ip
 - arp can go through
 - ingress/egress traffic with src/dest port ranges

Related-bug: #1461000
Change-Id: Ib00c99f236855e6556f43f4ffc55014c73b077bb
8 years ago