Merge "Should forward only first accepted packet to table 91 and 92"
This commit is contained in:
commit
08ac104838
|
@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
actions='normal')
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
# which differs in constants (table numbers) and exception classes
|
||||
|
@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=ovs_port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal',
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_src=mac_addr,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
arp_spa=ip_addr,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE,
|
||||
|
@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
reg_port=port.ofport,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE,
|
||||
|
@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver
|
||||
|
@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
priority=100,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
reg_port=port.ofport,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
|
@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# Track untracked
|
||||
|
@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
|
|||
ct_state=state,
|
||||
ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._add_flow(
|
||||
table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
|
|
|
@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port):
|
|||
"""Initialize common flow fields."""
|
||||
if direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE
|
||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||
elif direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE
|
||||
# Traffic can be both ingress and egress, check that no ingress rules
|
||||
|
@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False):
|
|||
resubmit_to_sg(flow)
|
||||
elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE:
|
||||
flow['actions'] = (
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
|
||||
fwaas_ovs_consts.REG_NET, flow['actions']))
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
|
||||
'resubmit(,{:d})'.format(
|
||||
fwaas_ovs_consts.REG_NET, flow['actions'],
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
result.append(flow)
|
||||
return result
|
||||
|
||||
|
|
|
@ -16,8 +16,6 @@ import mock
|
|||
from neutron_lib import constants
|
||||
|
||||
from neutron.common import constants as n_const
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||
as ovs_consts
|
||||
from neutron.tests import base
|
||||
|
||||
from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\
|
||||
|
@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||
expected_flows = [{
|
||||
'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE,
|
||||
'actions': 'output:1,resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
'actions': 'output:1',
|
||||
'nw_proto': constants.PROTO_NUM_TCP
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
constants.INGRESS_DIRECTION, rule, expected_flows)
|
||||
|
|
Loading…
Reference in New Issue