yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1697593] Re: ovsfw issue for allowed_address_pairs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1697593@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Aug 2017 06:07:12 -0000
Reply-to: Bug 1697593 <1697593@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/473751
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b7892b16b25c34edd9da6b4901b08a58c9725046
Submitter: Jenkins
Branch:    master

commit b7892b16b25c34edd9da6b4901b08a58c9725046
Author: jufeng <jesse@xxxxxxxxxxxx>
Date:   Tue Jun 13 15:13:53 2017 +0800

    ovsfw: fix allowed_address_pairs MAC issue
    
    Current ovsfw implementation does not take care of the different
    MACs in allowed_address_pairs with the VM's MAC.
    This patch use the following method to fix this issue:
    1. Do not check dl_src in table=72 because table=71 has checked
    dl_src for Egress.
    2. Add all allowed MACs in table=0 and table=73 for Ingress.
    3. Do not check dl_dst in table=82 because this check has done
    in table=0 and table=73.
    4. Delete allowed MACs in table=0 and table=73 when needed.
    
    Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
    Closes-Bug: #1697593


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1697593

Title:
  ovsfw issue for allowed_address_pairs

Status in neutron:
  Fix Released

Bug description:
  port's allowed_address_pairs allow different IP and MAC set for port.

  The current ovsfw implementation has this issue for allowed_address_pairs with different MAC with VM's MAC:
  1. Packets with allowed_address_pairs' MAC and IP (different MAC with VM's MAC) cannot come out from VM because the table=72 OpenFlow only check dl_src=VM-MAC in br-int.
  2. Cannot ping from outside to VM's allowed_address_pairs' MAC and IP (different MAC with VM's MAC)  because the table=0 OpenFlow only check dl_dst=VM-MAC.

  We need to allow the situation that address_pairs with different MAC
  with VM's MAC.

  Suggest change:
  1. Do not check dl_src in table=72 because table=71 has checked
  dl_src for Egress.
  2. Add all allowed MACs in table=0 and table=73 for Ingress.
  3. Check dl_dst and nw_dst in table=81 like table=71 does.
  4. Do not check dl_dst in table=82 because this check has done
  in table=0 and table=73.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1697593/+subscriptions

References

[Bug 1697593] [NEW] ovsfw issue for allowed_address_pairs
From: Jesse, 2017-06-13