← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #89914

[Bug 1654960] Re: SRIOV VF MAC-anti-spoofing check behavior not compatible when port_security extension not configured

  Thread PreviousDate PreviousThread Next 
Bug closed due to lack of activity, please feel free to reopen if
needed.

** Changed in: neutron
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1654960

Title:
  SRIOV VF MAC-anti-spoofing check behavior not compatible when
  port_security extension not configured

Status in neutron:
  Won't Fix

Bug description:
  Some NFV test cases require the source MAC address be filled by the
  Application, so when the packets come to the SRIOV eswitch, the source
  MAC address is not the VF's MAC address, if the SRIOV NIC's MAC anti-
  spoofing check is enabled, the packets will be droped, which is not
  desired.

  The solution is disable the MAC-anti-spoofing check. I noticed the following bp introduce the ability to control SRIOV MAC-anti-spoofing check:
  https://specs.openstack.org/openstack/neutron-specs/specs/liberty/sriov-spoofchk.html
  And the implementation was done by the following submit:
  https://review.openstack.org/#/c/192065/

  But the implementation is not compatible if port_security extension driver is not configured.
  For example, I use Mellanox SRIOV NICs, MAC-anti-spoofing check is disabled by default(http://www.mellanox.com/related-docs/prod_software/Mellanox_EN_for_Linux_User_Manual_v3_40.pdf
  ), so before the Liberty, VF's MAC-anti-spoofing check is DISABLED, the NFV application can specify the source MAC of the outband packets. After Liberty, the sriov-nic-agent will enable the MAC-anti-spoofing check, NO MATTER the port_security extension driver is configured or not, see the following code, spoofcheck has default value, and the value is True, that's means spoof check will always be enabled unless port_security_enabled be clearly assigned False:

      def treat_devices_added_updated(self, devices):
          ....
                      spoofcheck = device_details.get('port_security_enabled', True)

          ....

  As my understanding, when port_security extension is not configured, there is no ability to control the SRIOV MAC-anti-spoofing check, and the behavior of the NICs should leave as it is. It's not reasonable to enable the MAC-anti-spoofing check by default.
  When port_security extension is not configured, the behavior should compatible with the version before Liberty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1654960/+subscriptions

References

  Thread PreviousDate PreviousThread Next