Merge "Should forward only first accepted packet to table 91 and 92"

This commit is contained in:
Zuul 2018-09-04 18:42:31 +00:00 committed by Gerrit Code Review
commit 08ac104838
3 changed files with 17 additions and 33 deletions

View File

@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
)
actions='normal')
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
# which differs in constants (table numbers) and exception classes
@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
priority=80,
reg_port=ovs_port.ofport,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal',
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_src=mac_addr,
dl_type=constants.ETHERTYPE_ARP,
arp_spa=ip_addr,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
self._add_flow(
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
priority=80,
reg_port=port.ofport,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
reg_port=port.ofport,
ct_zone=port.vlan_tag,
actions='resubmit(,%d)' % (
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
actions='normal'
)
self._add_flow(
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
priority=100,
dl_type=constants.ETHERTYPE_ARP,
reg_port=port.ofport,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
self._initialize_ingress_ipv6_icmp(port)
@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
nw_proto=lib_const.PROTO_NUM_UDP,
tp_src=src_port,
tp_dst=dst_port,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
actions='output:{:d}'.format(port.ofport)
)
# Track untracked
@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
ct_state=state,
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
ct_zone=port.vlan_tag,
actions='output:{:d},resubmit(,{:d})'.format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
actions='output:{:d}'.format(port.ofport)
)
self._add_flow(
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,

View File

@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port):
"""Initialize common flow fields."""
if direction == n_consts.INGRESS_DIRECTION:
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
flow_template['actions'] = "output:{:d}".format(port.ofport)
elif direction == n_consts.EGRESS_DIRECTION:
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
# Traffic can be both ingress and egress, check that no ingress rules
@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False):
resubmit_to_sg(flow)
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
flow['actions'] = (
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
fwaas_ovs_consts.REG_NET, flow['actions']))
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
'resubmit(,{:d})'.format(
fwaas_ovs_consts.REG_NET, flow['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
)
result.append(flow)
return result

View File

@ -16,8 +16,6 @@ import mock
from neutron_lib import constants
from neutron.common import constants as n_const
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
as ovs_consts
from neutron.tests import base
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {'protocol': constants.PROTO_NUM_TCP}
expected_flows = [{
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
'actions': 'output:1,resubmit(,%d)' % (
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
'nw_proto': constants.PROTO_NUM_TCP,
'actions': 'output:1',
'nw_proto': constants.PROTO_NUM_TCP
}]
self._test_create_protocol_flows_helper(
constants.INGRESS_DIRECTION, rule, expected_flows)