yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2000046] Re: [ml2][ovs] port flows Unexpectedly deleted by arp_spoofing_protection

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2000046@xxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Dec 2022 18:35:54 -0000
Reply-to: Bug 2000046 <2000046@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/868058
Committed: https://opendev.org/openstack/neutron/commit/dad23fdcdb32e3b061642e3cafad6566fadc11c3
Submitter: "Zuul (22348)"
Branch:    master

commit dad23fdcdb32e3b061642e3cafad6566fadc11c3
Author: LIU Yulong <i@xxxxxxxxxxxx>
Date:   Mon Dec 19 14:26:47 2022 +0800

    Strictly delete arp_spoofing_protection flows
    
    Port arp_spoofing_protection will install flows like this:
    table=0, priority=9,in_port=2 actions=goto_table:25
    table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60
    
    For network ports or port_security_enabled = False, those flows
    will be delete by setup_arp_spoofing_protection in _bind_devices.
    
    But the delete actions are a bit rough because it will delete any
    flows with "table=0 in_port=2" and "table=25 in_port=2".
    
    Besides, the ovs_agent extension handle_port will be run before
    these actions [5]. So network or no security ports, if any flows
    added by agent extesnion in table=0 with "in_port=2" will be delete
    unexpectedly. Which also means any flows added before this call of
    "uninstall_flows(table=0, in_port=2)" will be deleted.
    
    This patch changes the uninstall flows to strict mode. Let it
    delete the arp_spoofing_protection related flows only by verifying
    the priority.
    
    Closes-Bug: #2000046
    Change-Id: Ifdd47b2ce8610e4b4b527fc3279e0bd7a8b21a1d


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2000046

Title:
  [ml2][ovs] port flows Unexpectedly  deleted by arp_spoofing_protection

Status in neutron:
  Fix Released

Bug description:
  Port arp_spoofing_protection will install flows like this:

  table=0, priority=9,in_port=2 actions=goto_table:25
  table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60

  For network ports or port_security_enabled = False, those flows
  will be delete by setup_arp_spoofing_protection in _bind_devices [1][2][3][4].

  Besides, the ovs_agent extension handle_port will be run before
  these actions [5]. So network or no security ports, if any flows
  added by agent extesnion in table=0 with "in_port=2" will be delete
  unexpectedly. Which also means any flows added before this call of
  "uninstall_flows(table=0, in_port=2)" will be deleted.

  [1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py#L385
  [2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1300
  [3] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1307
  [4] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1241
  [5] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L2038

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2000046/+subscriptions

References

[Bug 2000046] [NEW] [ml2][ovs] port flows Unexpectedly deleted by arp_spoofing_protection
From: LIU Yulong, 2022-12-19