yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2009221] Re: [OVS] Custom ethertype traffic is not coming into the VM

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2009221@xxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Mar 2023 12:57:35 -0000
Reply-to: Bug 2009221 <2009221@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/876563
Committed: https://opendev.org/openstack/neutron/commit/008277b8c12d99438951a308b278203fa7a7c3ef
Submitter: "Zuul (22348)"
Branch:    master

commit 008277b8c12d99438951a308b278203fa7a7c3ef
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Sun Mar 5 22:12:55 2023 +0100

    [OVS] Allow custom ethertype traffic in the ingress table
    
    This patch is a partial revert of [1], reinstantiating the code merged
    in [2]. This patch is the complementary to [1]: the traffic with
    custom ethertypes is allowed in the ingress processing tables, same
    as [1] is allowing all traffic from the virtual machine ports in this
    host to leave the node. Both, this patch and [1], are bypassing the
    OVS firewall just for the traffic with the configured allowed
    ethertypes and just for/to the local ports and MAC addresses.
    
    Any other traffic not coming from a local port or with destination
    a local port, will be blocked as is now.
    
    [1]https://review.opendev.org/c/openstack/neutron/+/678021
    [2]https://review.opendev.org/c/openstack/neutron/+/668224/
    
    Closes-Bug: #2009221
    Related-Bug: #1832758
    Change-Id: Ib8340d9430b946a446edf80886c49fbac729073c


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2009221

Title:
  [OVS] Custom ethertype traffic is not coming into the VM

Status in neutron:
  Fix Released

Bug description:
  This bug is related to
  https://bugs.launchpad.net/neutron/+bug/1832758.

  In [1], the ability to allow custom ethertypes was added to the OVS
  native firewall. This patch was adding a bypass for traffic with
  custom ethertypes and a MAC address matching one of the local ports in
  this OVS (in the table 60 the traffic should match the VLAN tag and
  the destination MAC).

  In [2], this piece of code was moved to the EGRESS section to allow
  the traffic sent by a port with one of the allowed custom ethertypes
  to bypass the firewall and go directly to the accepted egress table,
  where the traffic is sent explicitly to the corresponding physical
  bridge or tunnel bridge, depending on the network type.

  None of these patches can live without the other. Now we are missing
  the code of the first one [1], removed by the second one [2]: we need
  an explicit bypass in the INGRESS section to allow this traffic and
  sent it directly to the corresponding port.

  [1]https://review.opendev.org/c/openstack/neutron/+/668224
  [2]https://review.opendev.org/c/openstack/neutron/+/678021

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2009221/+subscriptions

References

[Bug 2009221] [NEW] [OVS] Custom ethertype traffic is not coming into the VM
From: Rodolfo Alonso, 2023-03-03