← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2009221] [NEW] [OVS] Custom ethertype traffic is not coming into the VM

 

Public bug reported:

This bug is related to https://bugs.launchpad.net/neutron/+bug/1832758.

In [1], the ability to allow custom ethertypes was added to the OVS
native firewall. This patch was adding a bypass for traffic with custom
ethertypes and a MAC address matching one of the local ports in this OVS
(in the table 60 the traffic should match the VLAN tag and the
destination MAC).

In [2], this piece of code was moved to the EGRESS section to allow the
traffic sent by a port with one of the allowed custom ethertypes to
bypass the firewall and go directly to the accepted egress table, where
the traffic is sent explicitly to the corresponding physical bridge or
tunnel bridge, depending on the network type.

None of these patches can live without the other. Now we are missing the
code of the first one [1], removed by the second one [2]: we need an
explicit bypass in the INGRESS section to allow this traffic and sent it
directly to the corresponding port.

[1]https://review.opendev.org/c/openstack/neutron/+/668224
[2]https://review.opendev.org/c/openstack/neutron/+/678021

** Affects: neutron
     Importance: Medium
     Assignee: Rodolfo Alonso (rodolfo-alonso-hernandez)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Rodolfo Alonso (rodolfo-alonso-hernandez)

** Changed in: neutron
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2009221

Title:
  [OVS] Custom ethertype traffic is not coming into the VM

Status in neutron:
  New

Bug description:
  This bug is related to
  https://bugs.launchpad.net/neutron/+bug/1832758.

  In [1], the ability to allow custom ethertypes was added to the OVS
  native firewall. This patch was adding a bypass for traffic with
  custom ethertypes and a MAC address matching one of the local ports in
  this OVS (in the table 60 the traffic should match the VLAN tag and
  the destination MAC).

  In [2], this piece of code was moved to the EGRESS section to allow
  the traffic sent by a port with one of the allowed custom ethertypes
  to bypass the firewall and go directly to the accepted egress table,
  where the traffic is sent explicitly to the corresponding physical
  bridge or tunnel bridge, depending on the network type.

  None of these patches can live without the other. Now we are missing
  the code of the first one [1], removed by the second one [2]: we need
  an explicit bypass in the INGRESS section to allow this traffic and
  sent it directly to the corresponding port.

  [1]https://review.opendev.org/c/openstack/neutron/+/668224
  [2]https://review.opendev.org/c/openstack/neutron/+/678021

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2009221/+subscriptions



Follow ups