openstack
/
neutron-fwaas
Code Issues Proposed changes

Should forward only first accepted packet to table 91 and 92 

Regarding to performance perspective, we should only log first
accepted packet. Therefore we need to forward only first accepted
packet of each connection session to table 91 and table 92.
This is also effort to sync up with ovsfw in neutron-side [1].

[1] https://review.openstack.org/#/c/591547/

Related-Bug: #1782576
Change-Id: Iac01088bf2c76e3f28000389596f5a1a85478d9a
This commit is contained in:
Nguyen Phuong An 2018-08-15 10:05:51 +07:00
parent 5b3ac1ebda
commit 93c71ce98a
3 changed files with 17 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py
View File

@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
)
actions='normal')
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
# which differs in constants (table numbers) and exception classes
@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
priority=80,
reg_port=ovs_port.ofport,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal',
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_src=mac_addr,
dl_type=constants.ETHERTYPE_ARP,
arp_spa=ip_addr,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
self._add_flow(
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
priority=80,
reg_port=port.ofport,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
reg_port=port.ofport,
ct_zone=port.vlan_tag,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
self._add_flow(
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
priority=100,
dl_type=constants.ETHERTYPE_ARP,
reg_port=port.ofport,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
self._initialize_ingress_ipv6_icmp(port)
@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
nw_proto=lib_const.PROTO_NUM_UDP,
tp_src=src_port,
tp_dst=dst_port,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
# Track untracked
@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
ct_state=state,
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
ct_zone=port.vlan_tag,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
actions='output:{:d}'.format(port.ofport)
)
self._add_flow(
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,

11
neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py
View File

@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port):
"""Initialize common flow fields."""
if direction == n_consts.INGRESS_DIRECTION:
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
flow_template['actions'] = "output:{:d}".format(port.ofport)
elif direction == n_consts.EGRESS_DIRECTION:
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
# Traffic can be both ingress and egress, check that no ingress rules
@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False):
resubmit_to_sg(flow)
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
flow['actions'] = (
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
fwaas_ovs_consts.REG_NET, flow['actions']))
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
'resubmit(,{:d})'.format(
fwaas_ovs_consts.REG_NET, flow['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
)
result.append(flow)
return result

7
neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_rules.py
View File

@ -16,8 +16,6 @@ import mock
from neutron_lib import constants
from neutron.common import constants as n_const
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
as ovs_consts
from neutron.tests import base
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {'protocol': constants.PROTO_NUM_TCP}
expected_flows = [{
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
'actions': 'output:1,resubmit(,%d)' % (
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
'nw_proto': constants.PROTO_NUM_TCP,
'actions': 'output:1',
'nw_proto': constants.PROTO_NUM_TCP
}]
self._test_create_protocol_flows_helper(
constants.INGRESS_DIRECTION, rule, expected_flows)