From 93c71ce98af19f96282acabb58c446428bda2578 Mon Sep 17 00:00:00 2001 From: Nguyen Phuong An Date: Wed, 15 Aug 2018 10:05:51 +0700 Subject: [PATCH] Should forward only first accepted packet to table 91 and 92 Regarding to performance perspective, we should only log first accepted packet. Therefore we need to forward only first accepted packet of each connection session to table 91 and table 92. This is also effort to sync up with ovsfw in neutron-side [1]. [1] https://review.openstack.org/#/c/591547/ Related-Bug: #1782576 Change-Id: Iac01088bf2c76e3f28000389596f5a1a85478d9a --- .../linux/l2/openvswitch_firewall/firewall.py | 32 ++++++------------- .../linux/l2/openvswitch_firewall/rules.py | 11 ++++--- .../l2/openvswitch_firewall/test_rules.py | 7 ++-- 3 files changed, 17 insertions(+), 33 deletions(-) diff --git a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py index ab828d1a1..a593bd9d4 100644 --- a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py +++ b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py @@ -544,9 +544,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): dl_type=constants.ETHERTYPE_IPV6, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, icmp_type=icmp_type, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) - ) + actions='normal') # NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver # which differs in constants (table numbers) and exception classes @@ -582,8 +580,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE, priority=80, reg_port=ovs_port.ofport, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal', ) # NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver @@ -622,8 +619,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): dl_src=mac_addr, dl_type=constants.ETHERTYPE_ARP, arp_spa=ip_addr, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) self._add_flow( table=fwaas_ovs_consts.FW_BASE_EGRESS_TABLE, @@ -746,8 +742,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): table=fwaas_ovs_consts.FW_ACCEPT_OR_INGRESS_TABLE, priority=80, reg_port=port.ofport, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) # NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver @@ -780,8 +775,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL, reg_port=port.ofport, ct_zone=port.vlan_tag, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) self._add_flow( table=fwaas_ovs_consts.FW_RULES_EGRESS_TABLE, @@ -815,9 +809,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): dl_type=constants.ETHERTYPE_IPV6, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, icmp_type=icmp_type, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) # NOTE(ivasilevskaya) That's a copy-paste from neutron ovsfw driver @@ -829,9 +821,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): priority=100, dl_type=constants.ETHERTYPE_ARP, reg_port=port.ofport, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) self._initialize_ingress_ipv6_icmp(port) @@ -847,9 +837,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): nw_proto=lib_const.PROTO_NUM_UDP, tp_src=src_port, tp_dst=dst_port, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) # Track untracked @@ -902,9 +890,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase): ct_state=state, ct_mark=fwaas_ovs_consts.CT_MARK_NORMAL, ct_zone=port.vlan_tag, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + actions='output:{:d}'.format(port.ofport) ) self._add_flow( table=fwaas_ovs_consts.FW_RULES_INGRESS_TABLE, diff --git a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py index 529112f57..2fbe1bc49 100644 --- a/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py +++ b/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/rules.py @@ -88,9 +88,7 @@ def populate_flow_common(direction, flow_template, port): """Initialize common flow fields.""" if direction == n_consts.INGRESS_DIRECTION: flow_template['table'] = fwaas_ovs_consts.FW_RULES_INGRESS_TABLE - flow_template['actions'] = "output:{:d},resubmit(,{:d})".format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + flow_template['actions'] = "output:{:d}".format(port.ofport) elif direction == n_consts.EGRESS_DIRECTION: flow_template['table'] = fwaas_ovs_consts.FW_RULES_EGRESS_TABLE # Traffic can be both ingress and egress, check that no ingress rules @@ -190,8 +188,11 @@ def create_accept_flows(flow, sg_enabled=False): resubmit_to_sg(flow) elif flow['table'] == fwaas_ovs_consts.FW_RULES_INGRESS_TABLE: flow['actions'] = ( - 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format( - fwaas_ovs_consts.REG_NET, flow['actions'])) + 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},' + 'resubmit(,{:d})'.format( + fwaas_ovs_consts.REG_NET, flow['actions'], + ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + ) result.append(flow) return result diff --git a/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_rules.py b/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_rules.py index 5c776827b..033256b62 100644 --- a/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_rules.py +++ b/neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_rules.py @@ -16,8 +16,6 @@ import mock from neutron_lib import constants from neutron.common import constants as n_const -from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \ - as ovs_consts from neutron.tests import base from neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.\ @@ -189,9 +187,8 @@ class TestCreateProtocolFlows(base.BaseTestCase): rule = {'protocol': constants.PROTO_NUM_TCP} expected_flows = [{ 'table': fwaas_ovs_consts.FW_RULES_INGRESS_TABLE, - 'actions': 'output:1,resubmit(,%d)' % ( - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), - 'nw_proto': constants.PROTO_NUM_TCP, + 'actions': 'output:1', + 'nw_proto': constants.PROTO_NUM_TCP }] self._test_create_protocol_flows_helper( constants.INGRESS_DIRECTION, rule, expected_flows)