Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
Co-Authored-By: Ihar Hrachyshka <email@example.com>
Co-Authored-By: Slawek Kaplonski <firstname.lastname@example.org>
Other than the of_interface methods, today we are forced to use ovs_lib
methods to program flows, which call ovs-ofctl in turn. Let's make
install_instructions accept string actions regardless of of_interface
OVS can hold only one tunnel with same endpoints. Some tests had
hardcoded values for both tunnel endpoints which made them unable to run
in parallel manner.
This patch takes always exclusive address using resource allocator.
With this change delete_flows will only remove flows matching the default
cookie of the bridge.
The uninstall_flows implementation in the native bridge is also modified
to touch only the flows with the bridge cookie.
To still allow deletion of all cookies, cookie=COOKIE_ANY is introduced
as a special value, and used in the agent code in the places where the
intent is indeed to clean all flows whatever their cookie is.
There is a bug 1640283 fixed in OVS 2.5.1 but currently we ship Neutron
with openvswitch 2.5.0. The patch adds a decorator that skips particular
tests in case minimal version requirement is not met.
With this change the delete_flow variant implementation
of OpenFlowSwitchMixin, which was overriding the parent implementation
from ovs_lib in an incompatible way using the native ryu implementation,
is renamed into uninstall_flows.
As discussed in bug 1628455, the approach consisting in
extending the _keyword dict to convert ovs-ofctl rules into ryu
parameters does not seem practical.
This change also updates calls to delete_flows so that, when
enabled, the native interface will be used. Similar calls outside neutron
repo need to be updated as well, which will be done in separate changes.
Patch ports between br-int and br-tun have now got
randomly generated names so two different tests
shouldn't try to create ports with same name in same time.
neutron-sanity-check tool was importing neutron.tests.base module, which
may be not present on some systems (f.e. RDO splits neutron/tests/
subtree in a separate python-neutron-tests package). It made the tool
not usable in some setups.
This is not the first time when we by mistake import from
neutron.tests.* and break distributions. It's time to stop it by
proactively forbidding that pattern via a new hacking check.
Some functions were moved from neutron.tests.base to
neutron.common.utils to fulfill the need requirement. They were moved
using debtcollector, no current consumers should be affected.
One packet is typically not enough to determine if
an IP is responding since the first could get dropped
during ARP resolution. Change the default to 3 since
that should be sufficient.
Also, some callers were specifying a timeout of 5
seconds, which isn't all that useful since if the
packet never made it out, waiting longer isn't
going to help. Let them use the default of 1.
The mac-spoofing filtering done by iptables was
not adequate. See the bug report and change
This patch adds flows to the OVS agent to block
any traffic from the VM that isn't in the allowed
address pairs macs or the mac address field of
Low-level flow tests are currently done by unit tests, which call
of_interface specific APIs, This patch adds tests that call common
APIs of of_interface drivers so that we have better chance of catching
of_interface specific breakages.
Also, update OVS_BRANCH as the older version has a bug revealed by this
There seems to be some race condition or corner case in the
ARP spoofing functional tests that cause them to randomly
fail in the gate but it's difficult to reproduce them
locally. This patch adds a bunch of details on failures so
we can maybe get some hints about the unexpected state of
the bridge or interfaces that is causing the failure.
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.
For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
Skip adding ARP spoofing protection on OVS ports with a
device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.
Introduce an alternative OpenFlow implementation, "native",
implemented using Ryu ofproto python library from Ryu SDN Framework.
Make it selectable with of_driver=native agent option.
The aim is to replace the existing ovs-ofctl based implementation
It introduces node-local OpenFlow controller embedded in
OVS agent. Benefits include:
* Reduce the overhead of invoking ovs-ofctl command (and associated
* Make future uses of OpenFlow asynchronous messages (e.g. Packet-In,
Port-Status, etc) easier
* Make XenAPI integration simpler
* Switch to OpenFlow 1.3.
* Make OVS-agent act as an OpenFlow controller
* Configure OVS on the node to connect to the controller
Implements: blueprint ovs-ofctl-to-python
Co-Authored-by: IWAMOTO Toshihiro <email@example.com>
* Full stack tests' fake VMs are represented via a namespace,
MAC, IP address and default gateway. They're plugged to an OVS
bridge via an OVS internal port. As opposed to the current
fake machine class used in functional testing, this new fake
machine also creates a Neutron port via the API and sets the
IP and MAC according to it. It also sets additional attributes
on the OVS port to allow the OVS agent to do its magic.
* The functional fake machine and the full stack fake machine
should continue to share commonalities.
* The fullstack fake machine currently takes the IP address
from the port and statically assigns it to the namespace
device. Later when I'll add support for the DHCP agent
in full stack testing this assignment will look for the dhcp
attribute of the subnet and either assign the IP address
via 'ip' or call a dhcp client.
* Added a basic L2 connectivity test between two such machines
on the same Neutron network.
* OVSPortFixture now uses OVSInterfaceDriver to plug the port
instead of replicate a lot of the code. I had to make a
small change to _setup_arp_spoof_for_port since all OVS ports
are now created with their external-ids set.
The other IPv4 tests all have a count of 2 to tolerate
ping failures due to slow ARP response/interface setup/etc.
This patch increases test_arp_spoof_allowed_address_pairs_0cidr
to 2 to match.
This commit moves the L2 agents (Linuxbridge and OVS) into the
ML2 directory, while at the same time also moving the ML2 server
bits into toplevel directories. It also moves the configuration
files and unit tests. We also move the l2pop RPC mixin while
here as well.
Partially-Implements: blueprint reference-implementation-split
Signed-off-by: Kyle Mestery <firstname.lastname@example.org>
Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.
Some "agent" functional tests can be skipped if some requirements are
not satisfied in order to allow developers to run functional tests on
various environments. These tests should not be skipped in the gate.
This change defines the decorator no_skip_on_missing_deps to ensure
no "agent" functional tests are skipped in the gate. More precisely
no_skip_on_missing_deps transforms a skipTest into an error in:
* dsvm-functional and dsvm-fullstack jobs,
* functional and fullstack jobs when OS_FAIL_ON_MISSING_DEPS is
evaluated as True.
The change enlarges OS_FAIL_ON_MISSING_DEPS environment variable scope
(ie: missing dependencies + system requirements).
 in neutron.tests.functional
 in neutron.tests.common.base
This is a preparation to introduce another Ryu-based implementation.
The aim is to replace this with the new Ryu-based implementation
Add a config option for OVS-agent which selects the implementation.
Currently, the only available choice is 'ovs-ofctl'.
Also, this commit simplifies DVR logics by reducing duplications
and makes some of DVR UTs actually check the flows rather than just
"add_flow is called".
Partially-Implements: blueprint ovs-ofctl-to-python
When an IPv6 address is added to an interface, it
goes into a tentative state for a couple of seconds
for duplicate address detection. During this time,
use of the address will fail. This is an issue for
functional tests where they may add an address to
an interface and then immediately run a ping and
This patch adds a new wait_until_address_ready function
to ip_lib that will poll the interface every 200 ms until
the status transitions off of tentative or until a time limit
is exceeded. If the time limit is exceeded, it will raise an
It also adds unit tests and updates a functional test to
make use of the new feature.
The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.
Co-authored-by: Kevin Benton <email@example.com>
BaseLinuxTestCase provides 2 methods which are used once/three time(s),
this change inlines these methods and removes BaseLinuxTestCase and
replaces it by BaseSudoTestCase.
If the server under test is under heavy load, the requirement
of the very first ping passing may be too strict. This patch
increases the max attempts to 2 for the ARP spoofing tests to
give time for the OVS flow changes to take effect.
Adds an option to setup OVS rules that will prevent
ports attached to the agent from sending any ARP responses
that contain an IP address not belonging to the port
(in fixed IPs or allowed_address_pairs).
It is disabled by default and requires an OVS version that
can match on ARP fields. If it is too old, traffic will
still flow but it won't have ARP spoofing protection.
There is a sanity check to verify that ARP header matching
This prevention is specific to OVS so it will not help with
other plugins that use the reference iptables filtering. A
non-OVS-specific general approach will require something like
the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.
A new table is added for ARP spoofing prevention. All ARP traffic
on the local switching table is sent to this spoofing table.
The spoofing table will allow all ARP requests because we aren't
interested in them. It will then install an ARP response allow rule
for each IP address the port is assigned. All other ARP responses are