← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #65995

[Bug 1626010] Re: OVS Firewall cannot handle non unique MACs

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/385085
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6370a0471076ccb095a90f97ffc869ae7ea2e5ed
Submitter: Jenkins
Branch:    master

commit 6370a0471076ccb095a90f97ffc869ae7ea2e5ed
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Tue Jun 13 12:07:28 2017 +0000

    ovsfw: Fix overlapping MAC addresses on integration bridge
    
    The patch relies on the fact that traffic not going from instance
    (and thus port not managed by firewall) is tagged. Traffic coming from
    the instance is not tagged and thus net register is used for marking
    such traffic. These two approaches make matching rules unique even if
    two ports from different networks share its' mac addressess.
    
    Traffic coming from trusted ports is marked with network in registry
    so firewall can decide later to which network traffic belongs.
    
    Closes-bug: #1626010
    
    Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1626010

Title:
  OVS Firewall cannot handle non unique MACs

Status in neutron:
  Fix Released

Bug description:
  It seems we have a case where the openvswitch firewall driver and a
  use of trunks interferes with each other. I tried using the parent's
  MAC address for a subport. Like this:

   openstack network create net0
   openstack network create net1
   openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0
   openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1
   openstack port create --network net0 port0
   parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
   openstack port create --network net1 --mac-address "$parent_mac" port1
   openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
   openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0

  Then all packets are lost on the trunk's parent port:

   $ openstack server show vm0 | egrep addresses.*net0
   | addresses                            | net0=10.0.4.6                                                  |
   $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6
   WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
   PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data.
   
   --- 10.0.4.6 ping statistics ---
   3 packets transmitted, 0 received, 100% packet loss, time 2016ms

  If I change the firewall_driver to noop and redo the same I have
  connectivity.

  If I still have the openvswitch firewall_driver but I don't explicitly
  set the subport MAC, but let neutron automatically assign one, then
  again I have connectivity.

  devstack version: 81d89cf
  neutron version: 60010a8

  relevant parts of local.conf:

   [[local|localrc]]
   enable_service neutron-api
   enable_service neutron-l3
   enable_service neutron-agent
   enable_service neutron-dhcp
   enable_service neutron-metadata-agent
   
   [[post-config|$NEUTRON_CONF]]
   [DEFAULT]
   service_plugins = router,trunk
   
   [[post-config|$NEUTRON_PLUGIN_CONF]]
   [securitygroup]
   firewall_driver = openvswitch

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1626010/+subscriptions

References

  Thread PreviousDate PreviousThread Next