Should forward only first accepted packet to table 91 and 92
Regarding to performance perspective, we should only log first accepted packet. Therefore we need to forward only first accepted packet of each connection session to table 91 and table 92. This is also effort to sync up with ovsfw in neutron-side [1]. [1] https://review.openstack.org/#/c/591547/ Related-Bug: #1782576 Change-Id: Iac01088bf2c76e3f28000389596f5a1a85478d9a
This commit is contained in:
parent
5b3ac1ebda
commit
93c71ce98a
|
@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
actions='normal')
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
# which differs in constants (table numbers) and exception classes
|
||||
|
@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=ovs_port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal',
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_src=mac_addr,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
arp_spa=ip_addr,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
|
||||
|
@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
reg_port=port.ofport,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
||||
|
@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
priority=100,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
reg_port=port.ofport,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
|
@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# Track untracked
|
||||
|
@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_state=state,
|
||||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
|
|
|
@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port):
|
|||
"""Initialize common flow fields."""
|
||||
if direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
|
||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||
elif direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
|
||||
# Traffic can be both ingress and egress, check that no ingress rules
|
||||
|
@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False):
|
|||
resubmit_to_sg(flow)
|
||||
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
|
||||
flow['actions'] = (
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
|
||||
fwaas_ovs_consts.REG_NET, flow['actions']))
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
|
||||
'resubmit(,{:d})'.format(
|
||||
fwaas_ovs_consts.REG_NET, flow['actions'],
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
result.append(flow)
|
||||
return result
|
||||
|
||||
|
|
|
@ -16,8 +16,6 @@ import mock
|
|||
from neutron_lib import constants
|
||||
|
||||
from neutron.common import constants as n_const
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||
as ovs_consts
|
||||
from neutron.tests import base
|
||||
|
||||
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
|
||||
|
@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||
expected_flows = [{
|
||||
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
'actions': 'output:1,resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
'actions': 'output:1',
|
||||
'nw_proto': constants.PROTO_NUM_TCP
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
constants.INGRESS_DIRECTION, rule, expected_flows)
|
||||
|
|
Loading…
Reference in New Issue