yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2080347] [NEW] Openvswitch Port Security for unicast traffic of other instances

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Saeed Padari <2080347@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Sep 2024 08:40:03 -0000
Reply-to: Bug 2080347 <2080347@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

I run some scenarios with ML2/OVN and ML2/OVS (in all tests security-
group has no rule)

With the OVN backend, when port security is enabled I can NOT watch the
unicast traffic of other instances by tcpdump, but when port security is
disabled I can watch other unicast traffic for other instances.

I also run the same scenarios when the backend is Openvswitch only (not
OVN) I can watch unicast traffic of other instances (enabling or
disabling port security has no impact).

Is there any link or reference that explicitly explains this issue and
the impact of OVN in OpenStack for dropping other traffic?

I dump flow rules from openvswitch and compare them, and I'm pretty sure
that the OVN adds some rules to drop other unicast traffic.

Can I drop the unicast traffic of other instances in Openvswitch when I do not use OVN as the backend?
(automatically or by configuration)

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovn port-security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2080347

Title:
  Openvswitch Port Security for unicast traffic of other instances

Status in neutron:
  New

Bug description:
  I run some scenarios with ML2/OVN and ML2/OVS (in all tests security-
  group has no rule)

  With the OVN backend, when port security is enabled I can NOT watch
  the unicast traffic of other instances by tcpdump, but when port
  security is disabled I can watch other unicast traffic for other
  instances.

  I also run the same scenarios when the backend is Openvswitch only
  (not OVN) I can watch unicast traffic of other instances (enabling or
  disabling port security has no impact).

  Is there any link or reference that explicitly explains this issue and
  the impact of OVN in OpenStack for dropping other traffic?

  I dump flow rules from openvswitch and compare them, and I'm pretty
  sure that the OVN adds some rules to drop other unicast traffic.

  Can I drop the unicast traffic of other instances in Openvswitch when I do not use OVN as the backend?
  (automatically or by configuration)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2080347/+subscriptions

Follow ups

[Bug 2080347] Re: Openvswitch Port Security for unicast traffic of other instances
From: Lucas Alvares Gomes, 2024-09-13