On Wed, Nov 11, 2015 at 1:43 PM, Justin Pettit <[email protected]> wrote:
> > > On Nov 10, 2015, at 2:01 PM, Russell Bryant <[email protected]> wrote: > > > > On 11/10/2015 04:51 PM, Joe Stringer wrote: > >> On 9 November 2015 at 15:36, Jarno Rajahalme <[email protected]> wrote: > >>> > >>>> On Nov 9, 2015, at 10:56 AM, Joe Stringer <[email protected]> > wrote: > >>>> > >>>> If conntrack recirculates, it should not stop processing the current > >>>> pipeline. The cloned packet will begin with a fresh action set in the > >>>> table specified with the current metadata; The current copy of the > >>> > >>> As discussed, the action set is forked as well. Assuming the commit > message and the comment above the new function is fixed: > >>> > >>> Acked-by: Jarno Rajahalme <[email protected]> > >> > >> Thanks. I'll hold off a little longer in case anyone else wants to > chime in. > >> > > > > FWIW, I just tested this patch in my OpenStack+OVN environment and it > > resolved the problem I was having. > > Just to make sure, does this resolve the DHCP issue that you were seeing? > Are there are other OVN ACL problems? > It does resolve my DHCP issue, or at least part of it. This patch fixes the issue I had where the DHCP request didn't make it to the server in the first place. I have another patch to the Neutron plugin where I create an ACL that allows DHCP responses to reach the VM. It seems conntrack doesn't associate the response with the initial request, so I have to allow the responses explicitly. The logic I have is this, which is roughly: if DHCP is enabled on this network, allow DHCP server-to-client packets through that originated from an IP on the same subnet. + # If DHCP is enabled, allow the DHCP server responses to reach the + # client. + for ip in port['fixed_ips']: + subnet = self.get_subnet(context, ip['subnet_id']) + if subnet['ip_version'] != 4 or not subnet['enable_dhcp']: + continue + txn.add(self._ovn.add_acl( + lswitch=utils.ovn_name(port['network_id']), + lport=port['id'], + priority=ACL_PRIORITY_ALLOW, + action='allow', + log=False, + direction='to-lport', + match=('outport == "%s" && ip4 && ip4.src == %s && ' + 'udp && udp.src == 67 && udp.dst == 68' + ) % (port['id'], subnet['cidr']), + external_ids={'neutron:lport': port['id']})) The combination of Joe's fix and that patch makes DHCP work and seems sane to me. Let me know if you think otherwise. :-) -- Russell Bryant _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
