security group denies TCP flows when chassis-snat is enabled

The ingress packet should pass through security group flows to let
CT to update the state of the flow. Otherwise, the subsequent flows
would be blocked by the security group because of a invalid state of
the flow

Change-Id: I94cb3ec06d1b1335586c353a35020c9655d520af
Closes-Bug: 1792307
This commit is contained in:
wangjian 2018-09-13 09:46:30 +08:00
parent 3574f6fa54
commit 74a54b4446
3 changed files with 13 additions and 4 deletions

View File

@ -162,6 +162,7 @@ class ChassisSNATApp(df_base_app.DFlowApp, snat_mixin.SNATApp_mixin):
self._install_snat_ingress_after_conntrack(
lport.unique_key,
lport.mac,
lport.lswitch.unique_key,
self.external_host_mac)
def remove_lport_based_flows(self, lport):

View File

@ -209,6 +209,7 @@ class SNATApp_mixin(object):
def _install_snat_ingress_after_conntrack(self,
unique_key,
vm_mac,
network_id,
external_host_mac):
"""complements reverse sNAT translation from unique IP to tenant IP
@ -236,12 +237,13 @@ class SNATApp_mixin(object):
parser.NXActionRegMove(
src_field='ct_label',
dst_field='ipv4_dst',
n_bits=32)
n_bits=32),
parser.OFPActionSetField(metadata=network_id),
]
action_inst = parser.OFPInstructionActions(
ofproto.OFPIT_APPLY_ACTIONS, actions)
goto_inst = parser.OFPInstructionGotoTable(
const.INGRESS_DISPATCH_TABLE)
const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
inst = [action_inst, goto_inst]
self.mod_flow(

View File

@ -12,6 +12,7 @@
from oslo_config import cfg
from dragonflow.controller.common import constants as const
from dragonflow.db.models import l2
from dragonflow.tests.common import utils
from dragonflow.tests.fullstack import test_base
from dragonflow.tests.fullstack import test_objects as objects
@ -26,13 +27,15 @@ class TestSnatFlows(test_base.DFTestBase):
return SNAT_APP_NAME in cfg.CONF.df.apps_list
def _check_port_based_flows(self,
flows, hex_port_key, external_host_mac, mac):
flows, hex_port_key,
hex_lswitch_key, external_host_mac, mac):
match = 'ct_mark=' + hex_port_key + ',ip'
action = 'set_field:' + external_host_mac + '->eth_src' \
',set_field:' + mac + '->eth_dst' \
',load:' + hex_port_key + '->NXM_NX_REG7[]' + \
',move:NXM_NX_CT_LABEL[0..31]->NXM_OF_IP_DST[]' + \
',goto_table:' + str(const.INGRESS_DISPATCH_TABLE)
',set_field:' + hex_lswitch_key + '->metadata' + \
',goto_table:' + str(const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
port_based_ingress = None
for flow in flows:
@ -82,9 +85,12 @@ class TestSnatFlows(test_base.DFTestBase):
exception=Exception('No port assigned to VM')
)
port_key = port.unique_key
network_key = network.nb_api.get(
l2.LogicalSwitch(id=network_id)).unique_key
r = self._check_port_based_flows(
ovs.dump(self.integration_bridge),
hex(port_key),
hex(network_key),
external_host_mac,
mac)
for key, value in r.items():