neutron/neutron/plugins/ml2/drivers/linuxbridge
Rodolfo Alonso Hernandez 0a931391d8 Make ARP protection commands compatible with "ebtables-nft"
"nftables" compatible binary, "ebtables-nft", is not 100% compatible
with the legacy API, as reported in LP#1922892.

This patch fixes the following issues when using "ebtables-nft" (while
keeping compatibility with legacy binary):
- When a new chain is created, a default DROP rule is added at the end
  of the chain (append). This will prevent the error code 4 when the
  chain is listed.
- The chain rules are added at the begining of the chain (insert),
  before the default DROP rule. This will prioritize the port rules.
- The MAC rules are cleaned before the new ones are added. That will
  prevent the deletion of any new needed rule, now added after the
  deletion.
- The "ebtables" command will retry on error code 4. This is the
  error returned when the chains are listed and no rule is present
  in a new created chain (reporeted in LP#1922892).

This code is backwards compatible, that means it works with the legacy
"ebtables" binary; this is currently installed in the Neutron CI [1].
In order to test with the new binary, "ebtables-nft", two new CI jobs
are added to the periodic queue [2].

[1]1ad9ca56b0/roles/legacy_ebtables/tasks/main.yaml
[2]https://review.opendev.org/c/openstack/neutron/+/785144

Closes-Bug: #1922892
Related-Bug: #1508155

Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
2021-04-09 13:30:39 +00:00
..
agent Make ARP protection commands compatible with "ebtables-nft" 2021-04-09 13:30:39 +00:00
mech_driver Add "connectivity" parameter in vif_details 2019-07-05 10:13:11 +00:00
__init__.py Restructure agent code in preparation for decomp 2015-06-26 15:06:49 +00:00