Merge pull request #151 from stackhpc/upstream/zed-2024-06-17

Synchronise zed with upstream

Author: markgoddard

doc/source/contributor/internals/openvswitch_firewall.rst

@@ -525,6 +525,19 @@ will be:
   table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
   table=94, priority=1 actions=NORMAL
 
+The OVS firewall will initialize a default goto table 94 flow
+on TRANSIENT_TABLE |table_60|, if ``explicitly_egress_direct``
+is set to True, which is mainly for ports without security groups
+and disabled port_security. For instance:
+
+::
+  table=60, priority=2 actions=resubmit(,94)
+
+Then for packets from the outside to VM without security functionalities
+(--disable-port-security --no-security-group)
+will go to table 94 and do the same direct actions.
+
+
 OVS firewall integration points
 -------------------------------
 

neutron/agent/linux/openvswitch_firewall/firewall.py

@@ -644,6 +644,14 @@ def _initialize_common_flows(self):
                     'resubmit(,%d)' % ovs_consts.BASE_EGRESS_TABLE,
         )
 
+        if cfg.CONF.AGENT.explicitly_egress_direct:
+            self._add_flow(
+                table=ovs_consts.TRANSIENT_TABLE,
+                priority=2,
+                actions='resubmit(,%d)' % (
+                    ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
+            )
+
     def _initialize_third_party_tables(self):
         self.int_br.br.add_flow(
             table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
@@ -1253,6 +1261,7 @@ def install_accepted_egress_direct_flow(self, mac, vlan_tag, dst_port,
             return
 
         # Prevent flood for accepted egress traffic
+        # For packets from internal ports or VM ports.
         self._add_flow(
             flow_group_id=dst_port,
             table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
@@ -1261,6 +1270,15 @@ def install_accepted_egress_direct_flow(self, mac, vlan_tag, dst_port,
             reg_net=vlan_tag,
             actions='output:{:d}'.format(dst_port)
         )
+        # For packets from patch ports.
+        self._add_flow(
+            flow_group_id=dst_port,
+            table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+            priority=12,
+            dl_dst=mac,
+            dl_vlan=vlan_tag,
+            actions='strip_vlan,output:{:d}'.format(dst_port)
+        )
 
         # The former flow may not match, that means the destination port is
         # not in this host. So, we direct the packet to mapped bridge(s).
@@ -1309,6 +1327,12 @@ def delete_accepted_egress_direct_flow(self, mac, vlan_tag):
             dl_src=mac,
             reg_net=vlan_tag)
 
+        self._delete_flows(
+            table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+            dl_dst=mac,
+            dl_vlan=vlan_tag
+        )
+
     def _initialize_tracked_egress(self, port):
         # Drop invalid packets
         self._add_flow(

neutron/conf/plugins/ml2/drivers/ovs_conf.py

@@ -228,12 +228,16 @@
                        "outgoing IP packet carrying GRE/VXLAN tunnel.")),
     cfg.BoolOpt('baremetal_smartnic', default=False,
                 help=_("Enable the agent to process Smart NIC ports.")),
+    # TODO(liuyulong): consider adding a new configuration
+    # item to control ingress behavior.
     cfg.BoolOpt('explicitly_egress_direct', default=False,
                 help=_("When set to True, the accepted egress unicast "
                        "traffic will not use action NORMAL. The accepted "
                        "egress packets will be taken care of in the final "
                        "egress tables direct output flows for unicast "
-                       "traffic.")),
+                       "traffic. This will aslo change the pipleline for "
+                       "ingress traffic to ports without security, the final "
+                       "output action will be hit in table 94. ")),
 ]
 
 dhcp_opts = [

neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py

@@ -57,7 +57,7 @@ def setup_default_table(self, enable_openflow_dhcp=False,
         self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT)
         self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
                           table_id=constants.PACKET_RATE_LIMIT)
-        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
+        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=1)
         self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
                        enable_dhcpv6=enable_dhcpv6)
         self.install_drop(table_id=constants.ARP_SPOOF_TABLE)

neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

@@ -909,8 +909,13 @@ def test_delete_all_port_flows(self):
                       "reg6": port.vlan_tag}
         flow7 = mock.call(**call_args7)
 
+        call_args8 = {"table": ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+                      "dl_dst": port.mac,
+                      "dl_vlan": port.vlan_tag}
+        flow8 = mock.call(**call_args8)
+
         self.mock_bridge.br.delete_flows.assert_has_calls(
-            [flow1, flow2, flow3, flow6, flow7, flow4, flow5])
+            [flow1, flow2, flow3, flow6, flow7, flow8, flow4, flow5])
 
     def test_prepare_port_filter_initialized_port(self):
         port_dict = {'device': 'port-id',

neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py

@@ -71,7 +71,7 @@ def test_setup_default_table(self):
                         ]),
                 ],
                 match=ofpp.OFPMatch(),
-                priority=3,
+                priority=1,
                 table_id=60),
                            active_bundle=None),
             call._send_msg(ofpp.OFPFlowMod(dp,