← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79753

[Bug 1841622] [NEW] [L2][OVS] add accepted egress fdb flows

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Bug https://bugs.launchpad.net/neutron/+bug/1732067 has a bad impact on VM traffic. And all the fix has some potenial risk of data-plane down. So we added a new bug for the new solution:
It will add a flow table something like a switch FDB table. The accepted egress flows will be take care in that.

table=94 will be used to do accept egress traffic classification when enable openflow firewall:
1. the "dest mac" is handled this ovs-agent, direct "output" to that port
2. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
3. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
4. other traffic still match the original NORMAL flow

A new table=61 will be used to do accept egress traffic classification when not enable openflow firewall:
1. egress packets will be send to table 61, match rule will be of-port which be handled by ovs-agent "in_port=<some_local_of_port>"
2. the "dest mac" is handled this ovs-agent, direct "output" to that port
3. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
4. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
5. other traffic still match the original NORMAL flow

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1841622

Title:
  [L2][OVS] add accepted egress fdb flows

Status in neutron:
  New

Bug description:
  Bug https://bugs.launchpad.net/neutron/+bug/1732067 has a bad impact on VM traffic. And all the fix has some potenial risk of data-plane down. So we added a new bug for the new solution:
  It will add a flow table something like a switch FDB table. The accepted egress flows will be take care in that.

  table=94 will be used to do accept egress traffic classification when enable openflow firewall:
  1. the "dest mac" is handled this ovs-agent, direct "output" to that port
  2. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
  3. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
  4. other traffic still match the original NORMAL flow

  A new table=61 will be used to do accept egress traffic classification when not enable openflow firewall:
  1. egress packets will be send to table 61, match rule will be of-port which be handled by ovs-agent "in_port=<some_local_of_port>"
  2. the "dest mac" is handled this ovs-agent, direct "output" to that port
  3. "ARP request" with enabled L2 pop, packets will still be sent to patch port to tunnel bridge
  4. "dest mac" not in this host, vlan or tunnel (gre/vxlan/geneve) unicast will be sent to corresponding patch port of tunnel/physical bridge.
  5. other traffic still match the original NORMAL flow

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1841622/+subscriptions
  Thread PreviousDate PreviousThread Next