security group denies TCP flows when chassis-snat is enabled
The ingress packet should pass through security group flows to let CT to update the state of the flow. Otherwise, the subsequent flows would be blocked by the security group because of a invalid state of the flow Change-Id: I94cb3ec06d1b1335586c353a35020c9655d520af Closes-Bug: 1792307
This commit is contained in:
parent
3574f6fa54
commit
74a54b4446
|
@ -162,6 +162,7 @@ class ChassisSNATApp(df_base_app.DFlowApp, snat_mixin.SNATApp_mixin):
|
|||
self._install_snat_ingress_after_conntrack(
|
||||
lport.unique_key,
|
||||
lport.mac,
|
||||
lport.lswitch.unique_key,
|
||||
self.external_host_mac)
|
||||
|
||||
def remove_lport_based_flows(self, lport):
|
||||
|
|
|
@ -209,6 +209,7 @@ class SNATApp_mixin(object):
|
|||
def _install_snat_ingress_after_conntrack(self,
|
||||
unique_key,
|
||||
vm_mac,
|
||||
network_id,
|
||||
external_host_mac):
|
||||
"""complements reverse sNAT translation from unique IP to tenant IP
|
||||
|
||||
|
@ -236,12 +237,13 @@ class SNATApp_mixin(object):
|
|||
parser.NXActionRegMove(
|
||||
src_field='ct_label',
|
||||
dst_field='ipv4_dst',
|
||||
n_bits=32)
|
||||
n_bits=32),
|
||||
parser.OFPActionSetField(metadata=network_id),
|
||||
]
|
||||
action_inst = parser.OFPInstructionActions(
|
||||
ofproto.OFPIT_APPLY_ACTIONS, actions)
|
||||
goto_inst = parser.OFPInstructionGotoTable(
|
||||
const.INGRESS_DISPATCH_TABLE)
|
||||
const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
|
||||
inst = [action_inst, goto_inst]
|
||||
|
||||
self.mod_flow(
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
from oslo_config import cfg
|
||||
|
||||
from dragonflow.controller.common import constants as const
|
||||
from dragonflow.db.models import l2
|
||||
from dragonflow.tests.common import utils
|
||||
from dragonflow.tests.fullstack import test_base
|
||||
from dragonflow.tests.fullstack import test_objects as objects
|
||||
|
@ -26,13 +27,15 @@ class TestSnatFlows(test_base.DFTestBase):
|
|||
return SNAT_APP_NAME in cfg.CONF.df.apps_list
|
||||
|
||||
def _check_port_based_flows(self,
|
||||
flows, hex_port_key, external_host_mac, mac):
|
||||
flows, hex_port_key,
|
||||
hex_lswitch_key, external_host_mac, mac):
|
||||
match = 'ct_mark=' + hex_port_key + ',ip'
|
||||
action = 'set_field:' + external_host_mac + '->eth_src' \
|
||||
',set_field:' + mac + '->eth_dst' \
|
||||
',load:' + hex_port_key + '->NXM_NX_REG7[]' + \
|
||||
',move:NXM_NX_CT_LABEL[0..31]->NXM_OF_IP_DST[]' + \
|
||||
',goto_table:' + str(const.INGRESS_DISPATCH_TABLE)
|
||||
',set_field:' + hex_lswitch_key + '->metadata' + \
|
||||
',goto_table:' + str(const.INGRESS_DESTINATION_PORT_LOOKUP_TABLE)
|
||||
|
||||
port_based_ingress = None
|
||||
for flow in flows:
|
||||
|
@ -82,9 +85,12 @@ class TestSnatFlows(test_base.DFTestBase):
|
|||
exception=Exception('No port assigned to VM')
|
||||
)
|
||||
port_key = port.unique_key
|
||||
network_key = network.nb_api.get(
|
||||
l2.LogicalSwitch(id=network_id)).unique_key
|
||||
r = self._check_port_based_flows(
|
||||
ovs.dump(self.integration_bridge),
|
||||
hex(port_key),
|
||||
hex(network_key),
|
||||
external_host_mac,
|
||||
mac)
|
||||
for key, value in r.items():
|
||||
|
|
Loading…
Reference in New Issue