raise priority of dead vlan drop
- This change adds a max priority flow to drop
all traffic that is associated with the
DEAD VLAN 4095.
- This change is part of a partial mitigation of
bug 1734320. Without this change vlan 4095 traffic
will be dropped via a low priority flow after being
processed by part/all of the openflow pipeline.
By raising the priorty and droping in table 0
we drop invalid packets as soon as they enter
the pipeline.
Conflicts:
neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py
Change-Id: I3482c7c4f00942828cc9396cd2f3d646c9e8c9d1
Partial-Bug: #1734320
(cherry picked from commit e3dc447b90
)
This commit is contained in:
parent
b3d3d6d643
commit
9b0919e648
|
@ -189,6 +189,8 @@ OPENFLOW12 = "OpenFlow12"
|
|||
OPENFLOW13 = "OpenFlow13"
|
||||
OPENFLOW14 = "OpenFlow14"
|
||||
|
||||
OPENFLOW_MAX_PRIORITY = 65535
|
||||
|
||||
# A placeholder for dead vlans.
|
||||
DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1
|
||||
|
||||
|
|
|
@ -45,6 +45,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||
vlan_vid=constants.DEAD_VLAN_TAG)
|
||||
|
||||
def setup_canary_table(self):
|
||||
self.install_drop(constants.CANARY_TABLE)
|
||||
|
|
|
@ -37,6 +37,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||
dl_vlan=constants.DEAD_VLAN_TAG)
|
||||
|
||||
def setup_canary_table(self):
|
||||
self.install_drop(constants.CANARY_TABLE)
|
||||
|
|
|
@ -64,6 +64,12 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
|||
match=ofpp.OFPMatch(),
|
||||
priority=0,
|
||||
table_id=24)),
|
||||
call._send_msg(ofpp.OFPFlowMod(dp,
|
||||
cookie=self.stamp,
|
||||
instructions=[],
|
||||
match=ofpp.OFPMatch(vlan_vid=4095),
|
||||
priority=65535,
|
||||
table_id=0)),
|
||||
]
|
||||
self.assertEqual(expected, self.mock.mock_calls)
|
||||
|
||||
|
|
|
@ -37,6 +37,8 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
|||
call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
|
||||
call.add_flow(priority=3, table=60, actions='normal'),
|
||||
call.add_flow(priority=0, table=24, actions='drop'),
|
||||
call.add_flow(actions='drop', dl_vlan=4095,
|
||||
priority=65535, table=0)
|
||||
]
|
||||
self.assertEqual(expected, self.mock.mock_calls)
|
||||
|
||||
|
|
Loading…
Reference in New Issue