Commit Graph

40 Commits (1c2e10f8595d2286bd9bec513bc5a346a84a6f7c)

Author SHA1 Message Date
Ihar Hrachyshka 4aeec20001 Drop of_interface option
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.

Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <>
Co-Authored-By: Slawek Kaplonski <>
4 years ago
Brian Haley cf37563c83 Remove deprecated vsctl ovsdb_interface api
This was deprecated in
so remove all the vsctl-related code, leaving just the native
ovsdb api.

Also removed renamed ovs_vsctl_timeout value, which was changed
to ovsdb_timeout in

Change-Id: I50dfcea3deb41df1bd01fd06b76522453a6ba50b
5 years ago
IWAMOTO Toshihiro 2180bd902c of_interface: Implement bundled() method
Change-Id: Ie0de8309cdbed02fa88887e7fe25e8b3a2c0afe1
Related-blueprint: ovs-ofctl-to-python
5 years ago
IWAMOTO Toshihiro 3f4bceecaa of_interface: allow install_instructions to accept string actions
Other than the of_interface methods, today we are forced to use ovs_lib
methods to program flows, which call ovs-ofctl in turn. Let's make
install_instructions accept string actions regardless of of_interface

Related-bug: #1672340
Change-Id: Ie2fdeab1f4ac567ef336abae03768e43f426311a
6 years ago
Jakub Libosvar 330ebbb1b1 functional-tests: Make addresses for tunneling unique
OVS can hold only one tunnel with same endpoints. Some tests had
hardcoded values for both tunnel endpoints which made them unable to run
in parallel manner.

This patch takes always exclusive address using resource allocator.

Change-Id: If81296d54656551b24917d561f235edb96a6c2df
Closes-bug: #1697533
6 years ago
Thomas Morin d761d26225 delete_flows shall only touch flows with the bridge cookie
With this change delete_flows will only remove flows matching the default
cookie of the bridge.

The uninstall_flows implementation in the native bridge is also modified
to touch only the flows with the bridge cookie.

To still allow deletion of all cookies, cookie=COOKIE_ANY is introduced
as a special value, and used in the agent code in the places where the
intent is indeed to clean all flows whatever their cookie is.

Partial-Bug: #1557620
Change-Id: Idd0531cedda87224531cb8fb6a912ccd0f1554d5
6 years ago
Jenkins 4ded53918f Merge "functional: Stop compiling OVS from source" 6 years ago
Jakub Libosvar 7210696702 functional: Stop compiling OVS from source
There is a bug 1640283 fixed in OVS 2.5.1 but currently we ship Neutron
with openvswitch 2.5.0. The patch adds a decorator that skips particular
tests in case minimal version requirement is not met.

Change-Id: I3a665f3ba770e4acad7e7ead3f8cc557a86952cf
6 years ago
Thomas Morin 2c54cc22ef OpenFlowSwitchMixin: do not override delete_flows
With this change the delete_flow variant implementation
of OpenFlowSwitchMixin, which was overriding the parent implementation
from ovs_lib in an incompatible way using the native ryu implementation,
is renamed into uninstall_flows.

As discussed in bug 1628455, the approach consisting in
extending the _keyword dict to convert ovs-ofctl rules into ryu
parameters does not seem practical.

This change also updates calls to delete_flows so that, when
enabled, the native interface will be used.  Similar calls outside neutron
repo need to be updated as well, which will be done in separate changes.

Change-Id: I90ff1055d367609694eef975c7d084e4cd7a2cf4
Closes-Bug: 1628455
Needed-By: Idd2315565cc9c88319984d83487148bf498e91ab
6 years ago
Cady_Chen 6baedb9656 [TrivialFix] Replace 'assertTrue(a in b)' with 'assertIn(a, b)'
Change-Id: Ib0245deb33585e874724921df2b59639a6445e39
7 years ago
Sławek Kapłoński ca62e7ec9d Make ovs functional tests mutually isolated
Patch ports between br-int and br-tun have now got
randomly generated names so two different tests
shouldn't try to create ports with same name in same time.

Change-Id: I6107bc3bc2e2a504e8ec5b4f0e3abaa68d51c01f
Closes-Bug: #1625724
7 years ago
Jenkins 65a3b89116 Merge "Use more specific asserts in tests" 7 years ago
Ihar Hrachyshka 31e1aeb66b Forbid importing neutron.tests.* from outside tests subtree
neutron-sanity-check tool was importing neutron.tests.base module, which
may be not present on some systems (f.e. RDO splits neutron/tests/
subtree in a separate python-neutron-tests package). It made the tool
not usable in some setups.

This is not the first time when we by mistake import from
neutron.tests.* and break distributions. It's time to stop it by
proactively forbidding that pattern via a new hacking check.

Some functions were moved from neutron.tests.base to
neutron.common.utils to fulfill the need requirement. They were moved
using debtcollector, no current consumers should be affected.

Closes-Bug: #1621782
Change-Id: I790777ddcbd1b02218b3db54ae3d5c931d72d4fa
7 years ago
Béla Vancsics 7deba33bf3 Use more specific asserts in tests
Instead of assertTrue and assertFalse use more specific asserts.
They are compatible with Python 2.7[1] and 3.4[2]


Change-Id: I0e6cc33a54e35fe663e5cdf2b947053528a8775f
7 years ago
Brian Haley 8ec680b668 Increase default packet count to 3 in assert_ping
One packet is typically not enough to determine if
an IP is responding since the first could get dropped
during ARP resolution.  Change the default to 3 since
that should be sufficient.

Also, some callers were specifying a timeout of 5
seconds, which isn't all that useful since if the
packet never made it out, waiting longer isn't
going to help.  Let them use the default of 1.

Change-Id: I9c32b7840522fb8e1ce0ea1b2361f5d35e008aae
7 years ago
Henry Gessau 4148a347b3 Use constants from neutron-lib
With this we enable the deprecation warnings by default.

Related-Blueprint: neutron-lib

Change-Id: I5b9e53751dd164010e5bbeb15f534ac0fe2a5105
7 years ago
Kevin Benton 997d7b03fb OVS: Add mac spoofing filtering to flows
The mac-spoofing filtering done by iptables was
not adequate. See the bug report and change
I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
more information.

This patch adds flows to the OVS agent to block
any traffic from the VM that isn't in the allowed
address pairs macs or the mac address field of
the port.

Closes-Bug: #1558658
Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f
7 years ago
IWAMOTO Toshihiro b9a619b3f4 Add OVS flow tests
Low-level flow tests are currently done by unit tests, which call
of_interface specific APIs,  This patch adds tests that call common
APIs of of_interface drivers so that we have better chance of catching
of_interface specific breakages.

Also, update OVS_BRANCH as the older version has a bug revealed by this

Related-blueprint: ovs-ofctl-to-python
Change-Id: I0860b6bf7a7be299d8f9dbfb4b5b67a227b8e5dc
7 years ago
IWAMOTO Toshihiro 85ae853a74 Use testscenarios for OVS flow tests
testscenarios is better than subclassing.

Change-Id: I7fe3995f57c726790d23b441c73c253af8a8767b
Related-blueprint: ovs-ofctl-to-python
7 years ago
Kevin Benton 1b5fbd9d0e Collect details on ARP spoof functional failures
There seems to be some race condition or corner case in the
ARP spoofing functional tests that cause them to randomly
fail in the gate but it's difficult to reproduce them
locally. This patch adds a bunch of details on failures so
we can maybe get some hints about the unexpected state of
the bridge or interfaces that is causing the failure.

Partial-Bug: #1550623
Change-Id: I15b7ab3ce2a95d2b432239d535e3700f28ad21de
7 years ago
IWAMOTO Toshihiro f01affa093 Call Ryu's clean up function when ovs_neutron_agent.main terminates
When the of_interface=native configuration is active, Ryu's event loop
must be explicitly terminated.

Change-Id: I28779cf0da6a9b369922566998ec388679593819
Closes-bug: 1525780
7 years ago
Bhagyashri Shewale 88e899f7a0 Fix module's import order
Made corrections in import order for built-in, third party and
project specific modules as per OpenStack import standards [1].


Change-Id: I899deefd6ee4732d6c0afd17a5afbe42b0fa37ba
7 years ago
Gary Kotton 50be190b68 Use DEVICE_OWNER_* for 'network:*' constants
Now that we have the constant defined, we should reuse it from other
code to avoid potential typos.

Change-Id: Id7a941c1a461264ba44893d97cc6226f092e9888
8 years ago
sridhargaddam 1776511429 Add IPv6 Address Resolution protection
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.

For details please refer to "Figure 3. Attack against IPv6 Address Resolution"


Closes-Bug: #1491690
Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88
8 years ago
Kevin Benton da1ac497d2 Don't setup ARP protection on OVS for network ports
Skip adding ARP spoofing protection on OVS ports with a
device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.

Closes-Bug: #1487338
Change-Id: I32cef17ff47fd62e6db16b9083104f07239be25f
8 years ago
YAMAMOTO Takashi b3e7e21c32 OVS-agent: Introduce Ryu based OpenFlow implementation
Introduce an alternative OpenFlow implementation, "native",
implemented using Ryu ofproto python library from Ryu SDN Framework.
Make it selectable with of_driver=native agent option.
The aim is to replace the existing ovs-ofctl based implementation

It introduces node-local OpenFlow controller embedded in
OVS agent.  Benefits include:
* Reduce the overhead of invoking ovs-ofctl command (and associated
* Make future uses of OpenFlow asynchronous messages (e.g. Packet-In,
  Port-Status, etc) easier
* Make XenAPI integration simpler

* Switch to OpenFlow 1.3.
* Make OVS-agent act as an OpenFlow controller
* Configure OVS on the node to connect to the controller


Implements: blueprint ovs-ofctl-to-python
Co-Authored-by: IWAMOTO Toshihiro <>
Change-Id: I02e65ea7c6083b2c0a686fed2ab04da4d92b21a3
8 years ago
Assaf Muller 53fe9ddd6c Add a fullstack fake VM, basic connectivity test
* Full stack tests' fake VMs are represented via a namespace,
  MAC, IP address and default gateway. They're plugged to an OVS
  bridge via an OVS internal port. As opposed to the current
  fake machine class used in functional testing, this new fake
  machine also creates a Neutron port via the API and sets the
  IP and MAC according to it. It also sets additional attributes
  on the OVS port to allow the OVS agent to do its magic.
* The functional fake machine and the full stack fake machine
  should continue to share commonalities.
* The fullstack fake machine currently takes the IP address
  from the port and statically assigns it to the namespace
  device. Later when I'll add support for the DHCP agent
  in full stack testing this assignment will look for the dhcp
  attribute of the subnet and either assign the IP address
  via 'ip' or call a dhcp client.
* Added a basic L2 connectivity test between two such machines
  on the same Neutron network.
* OVSPortFixture now uses OVSInterfaceDriver to plug the port
  instead of replicate a lot of the code. I had to make a
  small change to _setup_arp_spoof_for_port since all OVS ports
  are now created with their external-ids set.

Change-Id: Ib985b7e742f58f1a6eb6fc598df3cbac31046951
8 years ago
Kevin Benton 9b23617111 Increase ping count on ARP spoof test
The other IPv4 tests all have a count of 2 to tolerate
ping failures due to slow ARP response/interface setup/etc.
This patch increases test_arp_spoof_allowed_address_pairs_0cidr
to 2 to match.

Closes-Bug: #1470234
Change-Id: I82bd8397672194f6162eef5392d4f19d57450552
8 years ago
Kyle Mestery 724c78071d Restructure agent code in preparation for decomp
This commit moves the L2 agents (Linuxbridge and OVS) into the
ML2 directory, while at the same time also moving the ML2 server
bits into toplevel directories. It also moves the configuration
files and unit tests. We also move the l2pop RPC mixin while
here as well.


Partially-Implements: blueprint reference-implementation-split
Partial-Bug: #1468433
Closes-Bug: #1427317
Change-Id: If6feca7b7a6bdd6c3c6feb929fa26fb4b1f72770
Signed-off-by: Kyle Mestery <>
8 years ago
Kevin Benton 747738d365 Skip ARP protection if in addr pairs
Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.

Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
8 years ago
Cedric Brandily 27df3e9fb9 Ensure no "agent" functional tests are skipped in the gate
Some "agent" functional tests[1] can be skipped if some requirements are
not satisfied in order to allow developers to run functional tests on
various environments. These tests should not be skipped in the gate.

This change defines the decorator no_skip_on_missing_deps[2] to ensure
no "agent" functional tests are skipped in the gate. More precisely
no_skip_on_missing_deps transforms a skipTest into an error in:

* dsvm-functional and dsvm-fullstack jobs,
* functional and fullstack jobs when OS_FAIL_ON_MISSING_DEPS is
  evaluated as True.

The change enlarges OS_FAIL_ON_MISSING_DEPS environment variable scope
(ie: missing dependencies + system requirements).

[1] in neutron.tests.functional
[2] in neutron.tests.common.base

Change-Id: Iacd4a5ef249fc1d7c75135ead9d0cf99d8a98a06
Closes-Bug: #1459844
8 years ago
Jakub Libosvar 753196480d Break Pinger class to functions
As the class served only for storing parameters that can be passed as
actual function parameters, there is no reason for class.

Change-Id: I553b4d6daeb78d495cda09894582a3d885b5d1b5
8 years ago
YAMAMOTO Takashi eab71473c3 OVS-agent: Separate ovs-ofctl using code as a driver
This is a preparation to introduce another Ryu-based implementation.
The aim is to replace this with the new Ryu-based implementation

Add a config option for OVS-agent which selects the implementation.
Currently, the only available choice is 'ovs-ofctl'.

Also, this commit simplifies DVR logics by reducing duplications
and makes some of DVR UTs actually check the flows rather than just
"add_flow is called".

Partially-Implements: blueprint ovs-ofctl-to-python
Change-Id: Ie1224f8a1c17268cd7d1c474ed82fdfb8852eaa8
8 years ago
Darragh O'Reilly 676db821eb ovs-agent: prevent ARP requests with faked IP addresses
This patch extends the existing ARP protection to ensure
that ARP requests also have valid IP addresses.

Closes-Bug: 1456333

Change-Id: I0b2ba21611c9fd9e304bce8cfb00259db1dceaa2
8 years ago
Kevin Benton e833d33db1 Add capability to wait for IPv6 address in ip_lib
When an IPv6 address is added to an interface, it
goes into a tentative state for a couple of seconds
for duplicate address detection. During this time,
use of the address will fail. This is an issue for
functional tests where they may add an address to
an interface and then immediately run a ping and
expect success.

This patch adds a new wait_until_address_ready function
to ip_lib that will poll the interface every 200 ms until
the status transitions off of tentative or until a time limit
is exceeded. If the time limit is exceeded, it will raise an

It also adds unit tests and updates a functional test to
make use of the new feature.

Change-Id: I2fa51e3f55847f7b5062bec0c1c666f5c11364d5
8 years ago
YAMAMOTO Takashi dbe7ba1868 OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention
The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.

Co-authored-by: Kevin Benton <>
Closes-Bug: #1449363
Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
8 years ago
Cedric Brandily 954b553439 Replace BaseLinuxTestCase by BaseSudoTestCase
BaseLinuxTestCase provides 2 methods which are used once/three time(s),
this change inlines these methods and removes BaseLinuxTestCase and
replaces it by BaseSudoTestCase.

Change-Id: I2b60abf55193f535fc7d7637bcb2f15c6a372a87
8 years ago
Cedric Brandily 8a4540acac Replace BaseIPVethTestCase by FakeMachine
This change removes BaseIPVethTestCase class and moves Pinger class to
allow its use from a fake machine.

Change-Id: I0636f11a327e9535828e7b52e60195e52831a0b2
8 years ago
Kevin Benton 749886eb6b Increase max attempts to 2 for pings on ARP tests
If the server under test is under heavy load, the requirement
of the very first ping passing may be too strict. This patch
increases the max attempts to 2 for the ARP spoofing tests to
give time for the OVS flow changes to take effect.

Change-Id: Ib70790da23861a8ed9c77f9c11aaf8fa41bf581c
Closes-Bug: #1443916
8 years ago
Kevin Benton aa7356b729 Add simple ARP spoofing protection
Adds an option to setup OVS rules that will prevent
ports attached to the agent from sending any ARP responses
that contain an IP address not belonging to the port
(in fixed IPs or allowed_address_pairs).

It is disabled by default and requires an OVS version that
can match on ARP fields. If it is too old, traffic will
still flow but it won't have ARP spoofing protection.
There is a sanity check to verify that ARP header matching
is supported.

This prevention is specific to OVS so it will not help with
other plugins that use the reference iptables filtering. A
non-OVS-specific general approach will require something like
the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.

A new table is added for ARP spoofing prevention. All ARP traffic
on the local switching table is sent to this spoofing table.
The spoofing table will allow all ARP requests because we aren't
interested in them. It will then install an ARP response allow rule
for each IP address the port is assigned. All other ARP responses are

Partial-Bug: #1274034

Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe
8 years ago