Add a default goto table=94 for openvswitch fw

gotostack · rubasov · commit c32eb5669a54 · 2024-06-13T12:25:12.000+02:00
If enable explicitly_egress_direct=True and set port as no security group and port_security=False, the ingress flood will reappear. The pipleline is: Ingress table_0 -> table_60 -> NORMAL -> VM Egress table_0 -> ... -> table_94 -> output Because ingress final action is normal, the br-int will learn the source MAC, but egress final action is output. So VM's mac will never be learnt by the br-int. Then ingress flood comes again. This patch adds a default direct flow to table 94 during the openflow security group init and explicitly_egress_direct=True, then the pipleline will be: Ingress table_0 -> table_60 -> table_94 -> output VM Egress table_0 -> ... -> table_94 -> output And this patch adds the flows coming from patch port which will match local vlan then go to table 94 do the same direct actions. Above flood issue will be addressed by these flows. Closes-Bug: #2051351 Change-Id: Ia61784174ee610b338f26660b2954330abc131a1 (cherry picked from commit d6f56c5) (cherry picked from commit f94f8b6) (cherry picked from commit fc7fa9c) Conflict with 02b12b0 in neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py (cherry picked from commit 1045985) Conflict with 5b64ac9 in neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
diff --git a/doc/source/contributor/internals/openvswitch_firewall.rst b/doc/source/contributor/internals/openvswitch_firewall.rst
@@ -525,6 +525,19 @@ will be:
   table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
   table=94, priority=1 actions=NORMAL
 
+The OVS firewall will initialize a default goto table 94 flow
+on TRANSIENT_TABLE |table_60|, if ``explicitly_egress_direct``
+is set to True, which is mainly for ports without security groups
+and disabled port_security. For instance:
+
+::
+  table=60, priority=2 actions=resubmit(,94)
+
+Then for packets from the outside to VM without security functionalities
+(--disable-port-security --no-security-group)
+will go to table 94 and do the same direct actions.
+
+
 OVS firewall integration points
 -------------------------------
 
diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -644,6 +644,14 @@ def _initialize_common_flows(self):
                     'resubmit(,%d)' % ovs_consts.BASE_EGRESS_TABLE,
         )
 
+        if cfg.CONF.AGENT.explicitly_egress_direct:
+            self._add_flow(
+                table=ovs_consts.TRANSIENT_TABLE,
+                priority=2,
+                actions='resubmit(,%d)' % (
+                    ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
+            )
+
     def _initialize_third_party_tables(self):
         self.int_br.br.add_flow(
             table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
@@ -1253,6 +1261,7 @@ def install_accepted_egress_direct_flow(self, mac, vlan_tag, dst_port,
             return
 
         # Prevent flood for accepted egress traffic
+        # For packets from internal ports or VM ports.
         self._add_flow(
             flow_group_id=dst_port,
             table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
@@ -1261,6 +1270,15 @@ def install_accepted_egress_direct_flow(self, mac, vlan_tag, dst_port,
             reg_net=vlan_tag,
             actions='output:{:d}'.format(dst_port)
         )
+        # For packets from patch ports.
+        self._add_flow(
+            flow_group_id=dst_port,
+            table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+            priority=12,
+            dl_dst=mac,
+            dl_vlan=vlan_tag,
+            actions='strip_vlan,output:{:d}'.format(dst_port)
+        )
 
         # The former flow may not match, that means the destination port is
         # not in this host. So, we direct the packet to mapped bridge(s).
@@ -1309,6 +1327,12 @@ def delete_accepted_egress_direct_flow(self, mac, vlan_tag):
             dl_src=mac,
             reg_net=vlan_tag)
 
+        self._delete_flows(
+            table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+            dl_dst=mac,
+            dl_vlan=vlan_tag
+        )
+
     def _initialize_tracked_egress(self, port):
         # Drop invalid packets
         self._add_flow(
diff --git a/neutron/conf/plugins/ml2/drivers/ovs_conf.py b/neutron/conf/plugins/ml2/drivers/ovs_conf.py
@@ -228,12 +228,16 @@
                        "outgoing IP packet carrying GRE/VXLAN tunnel.")),
     cfg.BoolOpt('baremetal_smartnic', default=False,
                 help=_("Enable the agent to process Smart NIC ports.")),
+    # TODO(liuyulong): consider adding a new configuration
+    # item to control ingress behavior.
     cfg.BoolOpt('explicitly_egress_direct', default=False,
                 help=_("When set to True, the accepted egress unicast "
                        "traffic will not use action NORMAL. The accepted "
                        "egress packets will be taken care of in the final "
                        "egress tables direct output flows for unicast "
-                       "traffic.")),
+                       "traffic. This will aslo change the pipleline for "
+                       "ingress traffic to ports without security, the final "
+                       "output action will be hit in table 94. ")),
 ]
 
 dhcp_opts = [
diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py
@@ -57,7 +57,7 @@ def setup_default_table(self, enable_openflow_dhcp=False,
         self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT)
         self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
                           table_id=constants.PACKET_RATE_LIMIT)
-        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
+        self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=1)
         self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
                        enable_dhcpv6=enable_dhcpv6)
         self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
@@ -909,8 +909,13 @@ def test_delete_all_port_flows(self):
                       "reg6": port.vlan_tag}
         flow7 = mock.call(**call_args7)
 
+        call_args8 = {"table": ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE,
+                      "dl_dst": port.mac,
+                      "dl_vlan": port.vlan_tag}
+        flow8 = mock.call(**call_args8)
+
         self.mock_bridge.br.delete_flows.assert_has_calls(
-            [flow1, flow2, flow3, flow6, flow7, flow4, flow5])
+            [flow1, flow2, flow3, flow6, flow7, flow8, flow4, flow5])
 
     def test_prepare_port_filter_initialized_port(self):
         port_dict = {'device': 'port-id',
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
@@ -71,7 +71,7 @@ def test_setup_default_table(self):
                         ]),
                 ],
                 match=ofpp.OFPMatch(),
-                priority=3,
+                priority=1,
                 table_id=60),
                            active_bundle=None),
             call._send_msg(ofpp.OFPFlowMod(dp,
