yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1756296] [NEW] OVS agent: avoid the use of OVSDB port tags

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thomas Morin <1756296@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Mar 2018 10:35:44 -0000
Reply-to: Bug 1756296 <1756296@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Currently, the OVS agent relies on OVSDB port tags in br-int to mark the
traffic arriving on a VM port with a local VLAN that is used to isolate
the traffic once it exits br-int. The vlan  (dot1q) tag is imposed on
the packet when the NORMAL action is applied on the packet.

This approach is incompatible with the goal of having VLAN transparent
ports (VM ports which can send tagged traffic that is forwarded as-is to
other ports on the same Neutron network), because when an OVSDB port tag
is set, OVS drops packets sent by a VM if they are already tagged [1].

Additionally, because its only applied after the NORMAL action, this
local vlan is not usable in matches in br-int, this leads components
such as the openvswitch SG firewall driver to keep track in an OVS
register of which network a packet belongs to (the L2 openflow manager
[2] will lead to other components ending up with the same need, other
components such as networking-bagpipe worked around this limitation by
placing rule in br-tun instead).

This RFE is here to discuss the idea of changing the design to not use
OVSDB port tags anymore always use an OVS register instead, and use an
explicit push_vlan action for traffic going towards br-ex, br-int, br-
tun .

[1] http://paste.openstack.org/show/702971/
[2] https://review.openstack.org/#/c/323963/

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1756296

Title:
  OVS agent: avoid the use of OVSDB port tags

Status in neutron:
  New

Bug description:
  Currently, the OVS agent relies on OVSDB port tags in br-int to mark
  the traffic arriving on a VM port with a local VLAN that is used to
  isolate the traffic once it exits br-int. The vlan  (dot1q) tag is
  imposed on the packet when the NORMAL action is applied on the packet.

  This approach is incompatible with the goal of having VLAN transparent
  ports (VM ports which can send tagged traffic that is forwarded as-is
  to other ports on the same Neutron network), because when an OVSDB
  port tag is set, OVS drops packets sent by a VM if they are already
  tagged [1].

  Additionally, because its only applied after the NORMAL action, this
  local vlan is not usable in matches in br-int, this leads components
  such as the openvswitch SG firewall driver to keep track in an OVS
  register of which network a packet belongs to (the L2 openflow manager
  [2] will lead to other components ending up with the same need, other
  components such as networking-bagpipe worked around this limitation by
  placing rule in br-tun instead).

  This RFE is here to discuss the idea of changing the design to not use
  OVSDB port tags anymore always use an OVS register instead, and use an
  explicit push_vlan action for traffic going towards br-ex, br-int, br-
  tun .

  [1] http://paste.openstack.org/show/702971/
  [2] https://review.openstack.org/#/c/323963/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1756296/+subscriptions