https://review.opendev.org/c/openstack/neutron/+/820897 added
a dead vlan flow that pushes the dead vlan tag onto frames
belonging to dead ports before these ports are reassigned to
their proper vlans. However add_flow and delete_flows race and
delete_flows may run before add_flow, in this case deleting 0 flows
but not giving us a chance to detect this: neither does it throw
an error nor does it return the number of deleted flows.
This leads to port staying inaccessible forever and hence
breaks corresponding DHCP or router.
Current patch suggests another approach to make sure no packets are
leaked from newly plugged ports: setting their "vlan_mode" attribute
to "trunk" and "trunks"=[4095] (along with assigning dead VLAN tag).
With this OVS normal pipeline will allow only packets tagged with 4095
from such ports [1], which normally not happens, but even if it does -
default rule in br-int will drop them anyway.
Thus untagged packets from such ports will also be dropped until
ovs agent sets proper VLAN tag and clears vlan_mode to default
("access").
This approach avoids the race between dhcp/l3 and ovs agents because
dhcp/l3 agents no longer modify flow table.
This partially reverts commit 7aae31c9f9
[1] https://docs.openvswitch.org/en/latest/ref/ovs-actions.7/?highlight=ovs-actions#the-ovs-normal-pipeline
Closes-Bug: #1930414
Closes-Bug: #1959564
Change-Id: I0391dd24224f8656a09ddb002e7dae8783ba37a4
All ports plugged into the dead vlan (DEAD_VLAN_TAG 4095 or 0xfff)
should not be able to send or receive traffic. We install a flow
to br-int to drop all traffic of the dead vlan [1]. However before
this patch the flow we install looks like:
priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
Which is wrong and it usually does not match anything.
According to ovs-fields (7) section Open vSwitch Extension VLAN Field,
VLAN TCI Field [2] (see especially the usage example
vlan_tci=0x1123/0x1fff) we need to explicitly set the bit 0x1000
to match the presence of an 802.1Q header.
Setting that bit this flow becomes:
priority=65535,vlan_tci=0x1fff/0x1fff actions=drop
which is equivalent to:
priority=65535,dl_vlan=4095 actions=drop
which should match and drop dead vlan traffic.
However there's a second problem: ovs access ports were designed to
work together with the NORMAL action. The NORMAL action considers the
vlan of an access port, but the openflow pipeline does not. An openflow
rule does not see the vlan set for an access port, because that vlan
tag is only pushed to the frame if and when the frame leaves the switch
on a trunk port [3][4].
So we have to explicitly push the DEAD_VLAN_TAG if we want the dead
vlan's drop flow match anything.
That means we are adding a flow to push the dead vlan tag from
dhcp-agent/l3-agent but we are deleting that flow from ovs-agent right
after ovs-agent sets the vlan tag of the port to a non-dead vlan. Which
is ugly but we have to keep adding the flow as early as possible if we
want to minimize the window until frames can leak onto the dead vlan.
Even with this change there's a short time window in which the dead vlan
could theoretically leak.
[1] ecdc11a564/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py (L60-L62)
[2] http://www.openvswitch.org/support/dist-docs/ovs-fields.7.html
[3] https://mail.openvswitch.org/pipermail/ovs-discuss/2021-December/051647.html
[4] https://docs.openvswitch.org/en/latest/faq/vlan/
see 'Q: My OpenFlow controller doesn’t see the VLANs that I expect.'
Change-Id: Ib6b70114efb140cf1393b57ebc350fea4b0a2443
Closes-Bug: #1930414
Default value for "of_interface" config option was switched
to "native" in Pike release.
In the same release this option was deprecated to removal.
Now it's time to remove it and force use of "native" driver to
manage openflows.
Change-Id: Ic900209868acfbe3bbb56fabbbf5c4472857e412
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
All of the externally consumed variables from neutron.common.constants
now live in neutron-lib. This patch removes neutron.common.constants
and switches all uses over to lib.
NeutronLibImpact
Depends-On: https://review.openstack.org/#/c/647836/
Change-Id: I3c2f28ecd18996a1cee1ae3af399166defe9da87
Because update operation updates openflow rules three times:
1) New rules with new cookie
2) Delete old rules with old cookie
3) Change new cookie back to old cookie
and the step 2) uses --strict parameter, it's needed to apply rules
before deleting the old rules because --strict parameter cannot be
combined with non-strict. This patch applies openflow rules after
step 1), then --strict rules in step 2 are applied right away and then
rest of delete part from 2) and all new rules from 3) are applied
together.
This patch adds optional interval parameter to Pinger class which sends
more ICMP packets per second in the firewall blink tests to increase a
chance of sending a packet while firewall is in inconsistent state.
Change-Id: I25d9c87225feda1b5ddd442dd01529424186e05b
Closes-bug: #1708731
The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib
now. This patch removes them from neutron and uses lib's version of
them.
NeutronLibImpact
Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9
The patch relies on the fact that traffic not going from instance
(and thus port not managed by firewall) is tagged. Traffic coming from
the instance is not tagged and thus net register is used for marking
such traffic. These two approaches make matching rules unique even if
two ports from different networks share its' mac addressess.
Traffic coming from trusted ports is marked with network in registry
so firewall can decide later to which network traffic belongs.
Closes-bug: #1626010
Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c
Commit ce8a0b2b7d introduces a TRANSIENT
table where all traffic local to br-int is sent after it's been
preprocessed by other features using openflow. This patch adopts the
table.
Change-Id: Ic66c186ab73bad6fcd133f2b9d15e07fd0eebb33
Related-bug: #1696983
The regular IPTablesFirewall needs zones to support safely
clearly conntrack entries.
In order to support the single bridge use case, the conntrack
manager had to be refactored slightly to allow zones to be
either unique to ports or unique to networks.
Since all ports in a network share a bridge in the IPTablesDriver
use case, a zone per port cannot be used since there is no way
to distinguish which zone traffic should be checked against when
traffic enters the bridge from outside the system.
A zone per network is adequate for the single bridge per network
solution since it implicitly does not suffer from the double-bridge
cross in a single network that led to per port usage in OVS.[1]
This had to adjust the functional firewall tests to use the correct
bridge name now that it's relevant in the non hybrid IPTables case.
1. Ibe9e49653b2a280ea72cb95c2da64cd94c7739da
Closes-Bug: #1668958
Closes-Bug: #1657260
Change-Id: Ie88237d3fe4807b712a7ec61eb932748c38952cc
Now that get_ip_version() is in common/utils.py,
change all in-tree users to use it and not
generate removal warnings.
Trivialfix
Change-Id: I623a10f3a52f80b650e5410df8b03729eb823134
Previously, if tag was not present in other_config obtained from ovsdb
for any reason, DEAD VLAN tag was used. This is not smart at all as it
puts all conntrack entries to one point. Also tag is mandatory and if
other_config doesn't contain it, it's a huge mistake that should never
happen.
Change-Id: I91ab75b52b70dbba4c7823550bfdfe0ab9396336
Related-bug: 1564947
other_config is a map type expecting {"string": "string", } values.
This patch makes sure string is passed when setting VLAN tag in
other_config.
Change-Id: Ie7af248b4609524631770f76398d06d8092c0f9d
Closes-bug: 1643484
Patch tests basic life-cycle of a trunk associated with a port. Test
creates a trunk with one subport - this tests interaction between
agent and ovsdb handler that calls via RPC to server.
Later a new subport is added which tests RPC interaction between
server and agent. Then deletes the first created subport. Finally trunk
is removed and checked that no patch ports remain on the integration
bridge.
Future work:
- Run this test with linuxbridge
- Test re-using port associated with trunk.
- Test re-using subports.
- Test with OVS firewall.
Partially-implements: blueprint vlan-aware-vms
Change-Id: Ie79a010e6751c1f1c2be5b1bf52511b9e100ad20
The error can be triggered by running "tox -epep8 HEAD~1" while having a
change in conn_testers module.
TrivialFix
Change-Id: I7c684c9b6c97f6974e0c71739e068598c9b0e7f0
New methods for connection tester are introduced in this patch. They
send certain amount of icmp packets and then compare the results, so we
succeed in positive tests only when all packets were replied. We succeed
in negative tests only when all packets were lost. Both approaches are
wrapped by actively waiting for successful result so we don't fail in
case where we test connectivity while resources are not wired yet.
This change is a followup to https://review.openstack.org/#/c/335536/ to
improve stability of its functional tests.
Closes-Bug: 1617319
Change-Id: I907ebd790f4ba3b4ecb0dce711c9f7d2c5244765
This patch introduces the TrunkManager for the OVS
agent. This class is responsible for wiring the trunk
and the subports.
Partially-implements: blueprint vlan-aware-vms
Co-Authored-By: Jakub Libosvar <libosvar@redhat.com>
Change-Id: I498560798983177ce7b64e1a8f32f1a157558897
OVS agent stores vlan tag only to other_config before
setup_port_filter() is called [1], leaving 'tag' column empty. This
patch loads tag from correct place and modifies functional tests
accordingly.
Closes-Bug: 1566934
[1] 1efed3a532/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py (L821)
Change-Id: Iaae46ce7362fedfc53af958600d6d712eb382e9f
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.
Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
In IPv6 scenarios NDP can increase round-trip time of ICMPv6 packets over
1 seconds. The patch increases timeout for ICMPv6 to 2 seconds. Note
that this will extend scenarios when ping is supposed to fail.
Change-Id: Iec7d3138aee3fc904312dbc45ef76854ad0ea789
Closes-Bug: 1557946
More info in bug report. I suggest we first revert, then
re-introduce the collect_debug_info patch with a different
approach. I suspect the fix is not trivial if indeed ordering
is an issue and the namespaces are cleaned up before
collect_debug_info is fired.
Related-Bug: #1548547
Change-Id: Ice93abbc6e143cdbb90e7d41d1be86dc9eb05006
This firewall requires OVS 2.5+ version supporting conntrack and kernel
conntrack datapath support (kernel>=4.3). For more information, see
https://github.com/openvswitch/ovs/blob/master/FAQ.md
As part of this new entry points for current reference firewalls were
added.
Configuration:
in openvswitch_agent.ini:
- in securitygroup section set firewall_driver to openvswitch
DocImpact
Closes-bug: #1461000
Co-Authored-By: Miguel Angel Ajo Pelayo <mangelajo@redhat.com>
Co-Authored-By: Amir Sadoughi <amir.sadoughi@rackspace.com>
Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529
Whenever instance of ConnectionTester raises ConnectionTesterException
then custom info is collected and printed into debug log. This is useful
for debugging non-deterministic gate failures.
Change-Id: Ie886dec9c0e805fa8710af8ae3cb70855fd4ad29
This tests that firewall still does its purpose even when rules are
being updated. That means there is no short period of time where
security groups are inactive during update.
Part of this patch introduces Pinger class. This object provides
capability of sending ICMP packets asynchronously and after
it's stopped it provides statistics like how many packets were
sent and how many were received. Note the difference between
assert_ping() functions, which are synchronous.
Another testing of remote security groups is also added.
Related-bug: #1461000
Change-Id: I6251ee264396f8dbc9b284758b96e5cdc6ac500b
This module provides tools for testing simple connectivity between two
endpoints via given technology. Current patch implements endpoints
connected through either linux bridge or openvswitch bridge.
Connectivity can be tested using icmp, arp, tcp and udp protocols.
Change-Id: I00e19fd9b80dc6f6743eb735523bd8f5ff096136
Slawek Kaplonski