The OVS Firewall has a singleton class that manages the conjuction IDs
to used in the OF rules. Those conjuntions are used to group rules
related to remote security group IDs.
Now each time the OVS agent is started, the OVS Firewall initial
conjunction ID is calculated based on the present OF rules. This value
and the next one used won't clash with any present rule in the
integration bridge during the initial transient period.
Related-Bug: #1934917
Change-Id: Ie2e4441f766947a2164dec2d1555c7049428903f
(cherry picked from commit 0634dcc6d0)
Neighbor Advertisments are used to inform other machines of the MAC
address to use to reach an IPv6. This commits prevents VMs from
pretending they are assigned IPv6 they should not use.
It also prevents sending UDP packets with spoofed IP or MAC even using
DHCP(v6) request ports.
Co-authored-by: David Sinquin <david.sinquin@gandi.net>
Closes-bug: #1902917
Change-Id: Iffb6643359562487414460f5a7e19a7fae9f935c
(cherry picked from commit ca7822e210)
Before that patch it was possible to send ICMPv6 packets like e.g.
neutron_lib.constants.ICMPV6_TYPE_MLD_QUERY,
neutron_lib.constants.ICMPV6_TYPE_RS,
neutron_lib.constants.ICMPV6_TYPE_NS,
neutron_lib.constants.ICMPV6_TYPE_NA
And that could cause some security issues as instance could advertise
that it owns IPv6 address which really don't belong to it.
Now rules in table=71 which allows that traffic are "per mac/ipaddress"
and are allowed only for fixed ips allocated to port and port's
allowed_address_pairs.
Closes-Bug: #1902917
Change-Id: I4749fdc6a6cabd253b971bf4010ff76f5593c59c
(cherry picked from commit 4b5bcff64c)
In case when security group is removed from port, connections
established to/from port which were hitting some of the removed SG
rules will be marked with CT_MARK_INVALID in the conntrack table.
Due to that such existing connections will be stopped.
But then if SG will be added again to the port, those conntrack entries
marked as invalid will not be removed and those hang connections will
not be revived.
To fix that, this patch adds deletion of the conntrack entries marked
with CT_MARK_INVALID and related to the port of which SG are
updated/added.
Closes-Bug: #1915530
Change-Id: I84718b8ac4d8d6e39426e1c4485c2d7fe28185dd
(cherry picked from commit 1e220d7136)
Currently when deleting a remote-group's member IPs, the deleted IPs'
conjunctive flows are not cleaned up in OF tables. This is because
the conjunctive flows' cookies don't match with the OVSBridge default
cookie used by the delete flow method. This patch fixed the issue by
using an ANY cookie that can always match with the cookies of the
conjunctive flows.
Change-Id: I74916acf8311989dca267f23261ec4cf449a6abf
Closes-Bug: 1907491
(cherry picked from commit f4b64e519c)
When any port in the OVS agent is using a security groups (SG) and
this SG is removed, is marked to be deleted. This deletion process
is done in [1].
The SG deletion process consists on removing any reference of this SG
from the firewall and the SG port map. The firewall removes this SG in
[2].
The information of a SG is stored in:
* ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the
conjunction IDS (conj_ids) in a dictionary using the following keys:
ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype,
conj_ids)] = conj_id_XXX
* ConjIPFlowManager.conj_ids is a nested dictionary, built in the
following way:
self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = \
set([conj_id_1, conj_id_2, ...])
This patch stores all conjuntion IDs generated and assigned to the
tuple (sg_id, remote_sg_id, direction, ethertype). When a SG is
removed, the deletion method will look for this SG in the new storage
variable created, ConjIdMap.id_map_group, and will mark all the
conjuntion IDs related to be removed. That will cleanup those rules
left in the OVS matching:
action=conjunction(conj_id, 1/2)
[1]118930f03d/neutron/agent/linux/openvswitch_firewall/firewall.py (L731)
[2]118930f03d/neutron/agent/linux/openvswitch_firewall/firewall.py (L399)
Change-Id: I63e446a30cf10e7bcd34a6f0d6ba1711301efcbe
Related-Bug: #1881157
(cherry picked from commit 0eebd002cc)
Currently codes only support assocate tunnel network and vlan network
to DVR router. This patch add codes that make the flat network assocate
to DVR router and make it work fine.
The patch also remove two unused constant entries: 'FLAT_VLAN_ID' and
'LOCAL_VLAN_ID'
Change-Id: I7d792ce288d96548298f169748565266a130bd86
Closes-Bug: #1876092
(cherry picked from commit cd721a7dcb)
When add allowed-address-pair 0.0.0.0/0 to one port, it will
unexpectedly open all others' protocol under same security
group. IPv6 has the same problem.
The root cause is the openflow rules calculation of the
security group, it will unexpectedly allow all IP(4&6)
traffic to get through.
For openvswitch openflow firewall, this patch adds a source
mac address match for the allowed-address-pair which has
prefix lenght 0, that means all ethernet packets from this
mac will be accepted. It exactly will meet the request of
accepting any IP address from the configured VM.
Test result shows that the remote security group and
allowed address pair works:
1. Port has 0.0.0.0/0 allowed-address-pair clould send any
IP (src) packet out.
2. Port has x.x.x.x/y allowed-address-pair could be accepted
for those VMs under same security group.
3. Ports under same network can reach each other (remote
security group).
4. Protocol port number could be accessed only when there
has related rule.
Closes-bug: #1867119
Change-Id: I2e3aa7c400d7bb17cc117b65faaa160b41013dde
Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.
Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
Closes-Bug: #1862703
Related-Bug: #1854131
Do not flood the packets to bridge, since we have the
bridge port list, we can add a simple direct flow to
the right port only.
Closes-Bug: #1732067
Related-Bug: #1841622
Change-Id: I14fefe289a19b718b247bf0740ca9bc47f8903f4
During e.g. migration or shelve of VM it may happend that
port update event will be send to the ovs agent and in the almost
the same time, port will be removed from br-int.
In such case during update_port_filter method openvswitch firewall
driver will not find port in br-int, and it will do nothing with it.
That will lead to leftover rules for this port in br-int.
So this patch adds calling remove_port_filter() method if port was
not found in br-int. Just to be sure that there is no any leftovers
from the port in br-int anymore.
Change-Id: I06036ce5fe15d91aa440dc340a70dd27ae078c53
Closes-Bug: #1850557
Only check sg object is not enough, we should also
check sg'ports is {} or not. Otherwise the old conjunction
will still exist.
Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
Closes-Bug: #1854131
For vlan type network, we add a segment match flow
to the openflow security group ingress table. Then
the packets will be recorded in conntrack table, and
the reply packets can be processed properly.
Change-Id: Ieded0654d0ad16235ec923b822dcd842bd7735e5
Closes-Bug: #1831534
FirewallDriver.process_trusted_ports" is called with many ports,
"_initialize_egress_no_port_security" retrieves the VIF ports
("Interface" registers in OVS DB), one per iteration, based in the
port_id. Instead of this procedure, if the DB is called only once to
retrieve all the VIF ports, the performance increase is noticeable.
E.g.: bridge with 1000 ports and interfaces.
Retrieving 100 ports:
- Bulk operation: 0.08 secs
- Loop operation: 5.6 secs
Retrieving 1000 ports:
- Bulk operation: 0.08 secs
- Loop operation: 59 secs
Closes-Bug: #1836095
Related-Bug: #1836023
Change-Id: I5b259717c0fdb8991f1df86b1ef4fb8ad0f18e70
In some debuggers (Pycharm), when OVSFirewallDriver is loaded,
the project configuration is not fully populated and does not
include some variables, e.g.:
cfg.CONF.SECURITYGROUP.permitted_ethertypes.
This will generate a configuration exception:
oslo_config.cfg.NoSuchOptError: no such option SECURITYGROUP in group
[DEFAULT]
By loading the SG groups options before the OVSFirewallDriver class, we
can solve this issue.
Trivial-Fix
Change-Id: I96580635b8a21f68df86b302e528d622ba3cfffc
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.
Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
The current code will remove the port from sg_port_map, but then it
won't be added into the map, when we resize/migrate this instance,
the related openflow won't be deleted, this will cause vm connectivity
problem.
Closes-Bug: #1825295
Change-Id: I94ddddda3c1960d43893c7a367a81279d429e469
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.
NeutronLibImpact
Depends-On: https://review.openstack.org/#/c/647836/
Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
When ovs-vswitchd process is restarted on host neutron-ovs-agent
can properly handle that and recover openflows and bridges config.
But when ovs firewall driver is used, it wasn't reinitialized
so there were missing some OF rules in br-int and connectivity
to/from instances was broken.
This patch adds reinitialization of firewall in such case so
all OF rules are properly reconfigured and connectivity is
restored.
Change-Id: I8d525bbe48216fef4da890582b8e198933a27833
Closes-Bug: 1805808
Because update operation updates openflow rules three times:
1) New rules with new cookie
2) Delete old rules with old cookie
3) Change new cookie back to old cookie
and the step 2) uses --strict parameter, it's needed to apply rules
before deleting the old rules because --strict parameter cannot be
combined with non-strict. This patch applies openflow rules after
step 1), then --strict rules in step 2 are applied right away and then
rest of delete part from 2) and all new rules from 3) are applied
together.
This patch adds optional interval parameter to Pinger class which sends
more ICMP packets per second in the firewall blink tests to increase a
chance of sending a packet while firewall is in inconsistent state.
Change-Id: I25d9c87225feda1b5ddd442dd01529424186e05b
Closes-bug: #1708731
Previously, when security group was updated for given port, the firewall
removed all flows related to the port and added new rules. That
introduced a time window where there were no rules for the port.
This patch adds a new mechanism using cookie that can be described in
three states:
1) Create new openflow rules with non-default cookie that is considered
an updated cookie. All newly generated flows will be added with the next
cookie and all existing rules with default cookie are rewritten with the
default cookie.
2) Delete all rules for given port with the old default cookie. This
will leave the newly added rules in place.
3) Update the newly added flows with update cookie back to the default
cookie in order to avoid such flows being cleaned on the next restart of
ovs agent, as it fetches for stale flows.
Change-Id: I85d9e49c24ee7c91229b43cd329c42149637f254
Closes-bug: #1708731
The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib
now. This patch removes them from neutron and uses lib's version of
them.
NeutronLibImpact
Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9
In patch [1] ovs firewall driver was changed and update_port_filter()
method was not trying to initialize port flows in case when
OVSFWPortNotFound is raised.
Without that when e.g. instance is hard rebooted and of_port
number is changed firewall openflow rules were not initialized
for such port and there was no connectivity to such VM.
[1] https://review.openstack.org/#/c/531414/
Change-Id: I6d917cbac61293e9a956a2efcd9f2b720e4cac95
Closes-Bug: #1747709
The firewall won't attempt on update to initialize port in case
port hasn't been initialized by sg_agent yet. This fixes a race where update
rpc call arrives between wiring tap device with integration bridge and
firewall initialization.
Change-Id: Ice0667df606ae23061acebceea23ab6e49dadbcf
Closes-bug: #1740885
The patch creates tables where other services using openflow can
implement rules for further packet processing. 3 new tables were created
for packets accepted by egress, ingress pipeline and packets dropped by
firewall.
Partially-implements: blueprint security-group-logging
Related-Bug: #1468366
Change-Id: I7900126de235ee9df902bef9556879f586d33ae8
The OpenFlow spec says packets shouldn't match against multiple flows
at the same priority or the result is undefined. In ovsfw, 8 priority
levels are needed to comply with this rule.
Note: unlike overlapping TCP port ranges cases, the current version
of OVS seems to handle this case magically.
Change-Id: I6deaee8dbe81453285b1fc685282952bc9456949
Closes-bug: #1708092
ovsfw ignored port_ranges when a SG rule protocol was sctp or given
in a number rather than a token. This commit fixes that.
Change-Id: I6c810a152990246d42d98c3673c4b5ee126ebb4b
Closes-bug: #1708580
Similarly to filtered ports this patch caches so called trusted ports to
avoid processing in case of unknown port is passed down to firewall
driver. The cached ofport is used for removal as the cache reflects
currently installed flows.
The patch also catches exception caused by inconsistency coming from
ovsdb.
Closes-bug: #1707339
Change-Id: I15cdb28072835fcb8c37ae4b56fc8754375a807c
Current ovsfw implementation does not take care of the different
MACs in allowed_address_pairs with the VM's MAC.
This patch use the following method to fix this issue:
1. Do not check dl_src in table=72 because table=71 has checked
dl_src for Egress.
2. Add all allowed MACs in table=0 and table=73 for Ingress.
3. Do not check dl_dst in table=82 because this check has done
in table=0 and table=73.
4. Delete allowed MACs in table=0 and table=73 when needed.
Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
Closes-Bug: #1697593
The patch relies on the fact that traffic not going from instance
(and thus port not managed by firewall) is tagged. Traffic coming from
the instance is not tagged and thus net register is used for marking
such traffic. These two approaches make matching rules unique even if
two ports from different networks share its' mac addressess.
Traffic coming from trusted ports is marked with network in registry
so firewall can decide later to which network traffic belongs.
Closes-bug: #1626010
Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c
This change moves the strip_vlan action from RULES_INGRESS/82 to
TRANSIENT_TABLE after the point where the traffic from local VM ports
has been moved to BASE_EGRESS. A reason for this move is that strip_vlan
is only needed for traffic *not* coming from VM ports and coming on a
patch port from br-*, and that it is hence simpler do do the strip_vlan
in TRANSIENT_TABLE rather than in mutliple places that also happen to be
common with traffic from local VMs.
This change also addresses another need:
I16a35b5d6c54901899d24fc94bd3438c1f1be05e results in add_flow being
possibly done with an Openflow version higher than OF1.0. The
strip_action as currently done is not compatible with OF>1.0, because
later versions require matching on dl_vlan first (the "strip vlan if
there is one" behavior of OF1.0 is not supported anymore). For this
reason this change adds a match on dl_vlan for the strip_vlan rule.
Change-Id: I76ee34a614237bbc99989ce9c1b96a30456be282
Commit ce8a0b2b7d introduces a TRANSIENT
table where all traffic local to br-int is sent after it's been
preprocessed by other features using openflow. This patch adopts the
table.
Change-Id: Ic66c186ab73bad6fcd133f2b9d15e07fd0eebb33
Related-bug: #1696983
Prior to this commit, the number of flows can be prohibitively large
in some cases.
Closes-bug: #1628819
Change-Id: I194e7f40db840d29af317ddc2e342a1409000151
A CIDR IP address in allowed address pairs causing init
and update operation failures on OFPort.
This is because those operations are not handling CIDR IP addresses.
This patch fixes that problem.
Change-Id: Ic4513859364403555e13593fb34bd2e58ea6377b
Closes-Bug: #1652729
Events like server reboots change ofport numbers. In such cases,
cached ofports need to be refreshed.
Change-Id: If4acf61736b8f1e9707efc409509e1f557d5f886
Closes-Bug: #1645655
Previously, if tag was not present in other_config obtained from ovsdb
for any reason, DEAD VLAN tag was used. This is not smart at all as it
puts all conntrack entries to one point. Also tag is mandatory and if
other_config doesn't contain it, it's a huge mistake that should never
happen.
Change-Id: I91ab75b52b70dbba4c7823550bfdfe0ab9396336
Related-bug: 1564947
Open vSwitch takes care of vlan tagging in case normal switching is
used. When ingress traffic packets are accepted, the
actions=output:<port_number> is used but we need to explicitly take care
of stripping out the vlan tags.
Closes-Bug: 1564947
Change-Id: If3fc44c9fd1ac0f7bc9dfe9dc48e76352e981f8e
(cherry picked from commit 0f9ec7b72a)
Open vSwitch takes care of vlan tagging in case normal switching is
used. When ingress traffic packets are accepted, the
actions=output:<port_number> is used but we need to explicitly take care
of stripping out the vlan tags.
Closes-Bug: 1564947
Change-Id: If3fc44c9fd1ac0f7bc9dfe9dc48e76352e981f8e
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.
Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
(cherry picked from commit 4f6aa3ffde)
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.
Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
The algorithm for masking port range was taken from networking-ovs-dpdk.
Future step will be to move the algorithm to neutron-lib and reuse in
networking-ovs-dpdk.
Change-Id: I4573eac9a2e04c1f126d26591d2e3207b6150337
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see
https://github.com/openvswitch/ovs/blob/master/FAQ.md
As part of this new entry points for current reference firewalls were
added.
Configuration:
in openvswitch_agent.ini:
- in securitygroup section set firewall_driver to openvswitch
DocImpact
Closes-bug: #1461000
Co-Authored-By: Miguel Angel Ajo Pelayo <mangelajo@redhat.com>
Co-Authored-By: Amir Sadoughi <amir.sadoughi@rackspace.com>
Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
Rodolfo Alonso Hernandez
Slawek Kaplonski
Hang Yang
Yang JianFeng
LIU Yulong
Yang Li
Ihar Hrachyshka
Boden R
Brian Haley
Jakub Libosvar
Sławek Kapłoński
Nguyen Phuong An
IWAMOTO Toshihiro
jufeng
Thomas Morin
Ravi Kota
Henry Gessau