Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.
Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
Other than the of_interface methods, today we are forced to use ovs_lib
methods to program flows, which call ovs-ofctl in turn. Let's make
install_instructions accept string actions regardless of of_interface
driver.
Related-bug: #1672340
Change-Id: Ie2fdeab1f4ac567ef336abae03768e43f426311a
OVS can hold only one tunnel with same endpoints. Some tests had
hardcoded values for both tunnel endpoints which made them unable to run
in parallel manner.
This patch takes always exclusive address using resource allocator.
Change-Id: If81296d54656551b24917d561f235edb96a6c2df
Closes-bug: #1697533
With this change delete_flows will only remove flows matching the default
cookie of the bridge.
The uninstall_flows implementation in the native bridge is also modified
to touch only the flows with the bridge cookie.
To still allow deletion of all cookies, cookie=COOKIE_ANY is introduced
as a special value, and used in the agent code in the places where the
intent is indeed to clean all flows whatever their cookie is.
Partial-Bug: #1557620
Change-Id: Idd0531cedda87224531cb8fb6a912ccd0f1554d5
There is a bug 1640283 fixed in OVS 2.5.1 but currently we ship Neutron
with openvswitch 2.5.0. The patch adds a decorator that skips particular
tests in case minimal version requirement is not met.
Change-Id: I3a665f3ba770e4acad7e7ead3f8cc557a86952cf
With this change the delete_flow variant implementation
of OpenFlowSwitchMixin, which was overriding the parent implementation
from ovs_lib in an incompatible way using the native ryu implementation,
is renamed into uninstall_flows.
As discussed in bug 1628455, the approach consisting in
extending the _keyword dict to convert ovs-ofctl rules into ryu
parameters does not seem practical.
This change also updates calls to delete_flows so that, when
enabled, the native interface will be used. Similar calls outside neutron
repo need to be updated as well, which will be done in separate changes.
Change-Id: I90ff1055d367609694eef975c7d084e4cd7a2cf4
Closes-Bug: 1628455
Needed-By: Idd2315565cc9c88319984d83487148bf498e91ab
Patch ports between br-int and br-tun have now got
randomly generated names so two different tests
shouldn't try to create ports with same name in same time.
Change-Id: I6107bc3bc2e2a504e8ec5b4f0e3abaa68d51c01f
Closes-Bug: #1625724
neutron-sanity-check tool was importing neutron.tests.base module, which
may be not present on some systems (f.e. RDO splits neutron/tests/
subtree in a separate python-neutron-tests package). It made the tool
not usable in some setups.
https://bugzilla.redhat.com/show_bug.cgi?id=1374282
This is not the first time when we by mistake import from
neutron.tests.* and break distributions. It's time to stop it by
proactively forbidding that pattern via a new hacking check.
Some functions were moved from neutron.tests.base to
neutron.common.utils to fulfill the need requirement. They were moved
using debtcollector, no current consumers should be affected.
Closes-Bug: #1621782
Change-Id: I790777ddcbd1b02218b3db54ae3d5c931d72d4fa
One packet is typically not enough to determine if
an IP is responding since the first could get dropped
during ARP resolution. Change the default to 3 since
that should be sufficient.
Also, some callers were specifying a timeout of 5
seconds, which isn't all that useful since if the
packet never made it out, waiting longer isn't
going to help. Let them use the default of 1.
Change-Id: I9c32b7840522fb8e1ce0ea1b2361f5d35e008aae
The mac-spoofing filtering done by iptables was
not adequate. See the bug report and change
I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
more information.
This patch adds flows to the OVS agent to block
any traffic from the VM that isn't in the allowed
address pairs macs or the mac address field of
the port.
Closes-Bug: #1558658
Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f
Low-level flow tests are currently done by unit tests, which call
of_interface specific APIs, This patch adds tests that call common
APIs of of_interface drivers so that we have better chance of catching
of_interface specific breakages.
Also, update OVS_BRANCH as the older version has a bug revealed by this
test.
Related-blueprint: ovs-ofctl-to-python
Change-Id: I0860b6bf7a7be299d8f9dbfb4b5b67a227b8e5dc
There seems to be some race condition or corner case in the
ARP spoofing functional tests that cause them to randomly
fail in the gate but it's difficult to reproduce them
locally. This patch adds a bunch of details on failures so
we can maybe get some hints about the unexpected state of
the bridge or interfaces that is causing the failure.
Partial-Bug: #1550623
Change-Id: I15b7ab3ce2a95d2b432239d535e3700f28ad21de
When the of_interface=native configuration is active, Ryu's event loop
must be explicitly terminated.
Change-Id: I28779cf0da6a9b369922566998ec388679593819
Closes-bug: 1525780
Now that we have the constant defined, we should reuse it from other
code to avoid potential typos.
Change-Id: Id7a941c1a461264ba44893d97cc6226f092e9888
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.
For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
DocImpact
SecurityImpact
Closes-Bug: #1491690
Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88
Skip adding ARP spoofing protection on OVS ports with a
device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.
Closes-Bug: #1487338
Change-Id: I32cef17ff47fd62e6db16b9083104f07239be25f
Introduce an alternative OpenFlow implementation, "native",
implemented using Ryu ofproto python library from Ryu SDN Framework.
Make it selectable with of_driver=native agent option.
The aim is to replace the existing ovs-ofctl based implementation
eventually.
It introduces node-local OpenFlow controller embedded in
OVS agent. Benefits include:
* Reduce the overhead of invoking ovs-ofctl command (and associated
rootwrap)
* Make future uses of OpenFlow asynchronous messages (e.g. Packet-In,
Port-Status, etc) easier
* Make XenAPI integration simpler
Highlights:
* Switch to OpenFlow 1.3.
* Make OVS-agent act as an OpenFlow controller
* Configure OVS on the node to connect to the controller
DocImpact
Implements: blueprint ovs-ofctl-to-python
Co-Authored-by: IWAMOTO Toshihiro <iwamoto@valinux.co.jp>
Change-Id: I02e65ea7c6083b2c0a686fed2ab04da4d92b21a3
* Full stack tests' fake VMs are represented via a namespace,
MAC, IP address and default gateway. They're plugged to an OVS
bridge via an OVS internal port. As opposed to the current
fake machine class used in functional testing, this new fake
machine also creates a Neutron port via the API and sets the
IP and MAC according to it. It also sets additional attributes
on the OVS port to allow the OVS agent to do its magic.
* The functional fake machine and the full stack fake machine
should continue to share commonalities.
* The fullstack fake machine currently takes the IP address
from the port and statically assigns it to the namespace
device. Later when I'll add support for the DHCP agent
in full stack testing this assignment will look for the dhcp
attribute of the subnet and either assign the IP address
via 'ip' or call a dhcp client.
* Added a basic L2 connectivity test between two such machines
on the same Neutron network.
* OVSPortFixture now uses OVSInterfaceDriver to plug the port
instead of replicate a lot of the code. I had to make a
small change to _setup_arp_spoof_for_port since all OVS ports
are now created with their external-ids set.
Change-Id: Ib985b7e742f58f1a6eb6fc598df3cbac31046951
The other IPv4 tests all have a count of 2 to tolerate
ping failures due to slow ARP response/interface setup/etc.
This patch increases test_arp_spoof_allowed_address_pairs_0cidr
to 2 to match.
Closes-Bug: #1470234
Change-Id: I82bd8397672194f6162eef5392d4f19d57450552
This commit moves the L2 agents (Linuxbridge and OVS) into the
ML2 directory, while at the same time also moving the ML2 server
bits into toplevel directories. It also moves the configuration
files and unit tests. We also move the l2pop RPC mixin while
here as well.
DocImpact
UpgradeImpact
Partially-Implements: blueprint reference-implementation-split
Partial-Bug: #1468433
Closes-Bug: #1427317
Change-Id: If6feca7b7a6bdd6c3c6feb929fa26fb4b1f72770
Signed-off-by: Kyle Mestery <mestery@mestery.com>
Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.
Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
Some "agent" functional tests[1] can be skipped if some requirements are
not satisfied in order to allow developers to run functional tests on
various environments. These tests should not be skipped in the gate.
This change defines the decorator no_skip_on_missing_deps[2] to ensure
no "agent" functional tests are skipped in the gate. More precisely
no_skip_on_missing_deps transforms a skipTest into an error in:
* dsvm-functional and dsvm-fullstack jobs,
* functional and fullstack jobs when OS_FAIL_ON_MISSING_DEPS is
evaluated as True.
The change enlarges OS_FAIL_ON_MISSING_DEPS environment variable scope
(ie: missing dependencies + system requirements).
[1] in neutron.tests.functional
[2] in neutron.tests.common.base
Change-Id: Iacd4a5ef249fc1d7c75135ead9d0cf99d8a98a06
Closes-Bug: #1459844
As the class served only for storing parameters that can be passed as
actual function parameters, there is no reason for class.
Change-Id: I553b4d6daeb78d495cda09894582a3d885b5d1b5
This is a preparation to introduce another Ryu-based implementation.
The aim is to replace this with the new Ryu-based implementation
eventually.
Add a config option for OVS-agent which selects the implementation.
Currently, the only available choice is 'ovs-ofctl'.
Also, this commit simplifies DVR logics by reducing duplications
and makes some of DVR UTs actually check the flows rather than just
"add_flow is called".
Partially-Implements: blueprint ovs-ofctl-to-python
Change-Id: Ie1224f8a1c17268cd7d1c474ed82fdfb8852eaa8
This patch extends the existing ARP protection to ensure
that ARP requests also have valid IP addresses.
Closes-Bug: 1456333
Change-Id: I0b2ba21611c9fd9e304bce8cfb00259db1dceaa2
When an IPv6 address is added to an interface, it
goes into a tentative state for a couple of seconds
for duplicate address detection. During this time,
use of the address will fail. This is an issue for
functional tests where they may add an address to
an interface and then immediately run a ping and
expect success.
This patch adds a new wait_until_address_ready function
to ip_lib that will poll the interface every 200 ms until
the status transitions off of tentative or until a time limit
is exceeded. If the time limit is exceeded, it will raise an
exception.
It also adds unit tests and updates a functional test to
make use of the new feature.
Change-Id: I2fa51e3f55847f7b5062bec0c1c666f5c11364d5
The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.
Co-authored-by: Kevin Benton <blak111@gmail.com>
Closes-Bug: #1449363
Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
BaseLinuxTestCase provides 2 methods which are used once/three time(s),
this change inlines these methods and removes BaseLinuxTestCase and
replaces it by BaseSudoTestCase.
Change-Id: I2b60abf55193f535fc7d7637bcb2f15c6a372a87
This change removes BaseIPVethTestCase class and moves Pinger class to
allow its use from a fake machine.
Change-Id: I0636f11a327e9535828e7b52e60195e52831a0b2
If the server under test is under heavy load, the requirement
of the very first ping passing may be too strict. This patch
increases the max attempts to 2 for the ARP spoofing tests to
give time for the OVS flow changes to take effect.
Change-Id: Ib70790da23861a8ed9c77f9c11aaf8fa41bf581c
Closes-Bug: #1443916
Adds an option to setup OVS rules that will prevent
ports attached to the agent from sending any ARP responses
that contain an IP address not belonging to the port
(in fixed IPs or allowed_address_pairs).
It is disabled by default and requires an OVS version that
can match on ARP fields. If it is too old, traffic will
still flow but it won't have ARP spoofing protection.
There is a sanity check to verify that ARP header matching
is supported.
This prevention is specific to OVS so it will not help with
other plugins that use the reference iptables filtering. A
non-OVS-specific general approach will require something like
the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.
Details:
A new table is added for ARP spoofing prevention. All ARP traffic
on the local switching table is sent to this spoofing table.
The spoofing table will allow all ARP requests because we aren't
interested in them. It will then install an ARP response allow rule
for each IP address the port is assigned. All other ARP responses are
dropped.
DocImpact
SecurityImpact
Partial-Bug: #1274034
Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe
Ihar Hrachyshka