>
>
>
> On Tue, Apr 16, 2024 at 1:22 AM <[email protected]> wrote:
>>
>> From: shylou <[email protected]>
>>
>> DHCP for VM fails when removing default security group rules
>> using a CMS like Neutron ML2/OVN [1]. This is because DHCP
>> requests from VMs may be dropped by ACLs. To fix this issue,
>> we add a lflow with a priority of 34000 to allow DHCP requests
>> from the logical port if the CMS has enabled native DHCPv4
>> for this port.
>>
>> [1]https://bugs.launchpad.net/neutron/+bug/1926515
>>
>> Signed-off-by: Xie Liu <[email protected]>
>
>
> Thanks for the patch.
>
> I don't think this is the correct fix. If neutron wants to allow DHCP
> overriding any ACL rules,
> it should add a high priority ACL to allow DHCP. What if a user wants to
> add an explicit ACL to
> drop DHCP from certain ports ?
>
> Thanks
> Numan
>
Thanks, Numan
I have a puzzling question: Why would users want to block
DHCP request packets after enabling DHCP for any LSPs ?
They could justly not enable DHCP for them at all, right?
>
>> ---
>> northd/northd.c | 10 ++++++++++
>> tests/ovn-northd.at | 5 +++++
>> 2 files changed, 15 insertions(+)
>>
>> diff --git a/northd/northd.c b/northd/northd.c
>> index 2c3560ce2..ca641a19e 100644
>> --- a/northd/northd.c
>> +++ b/northd/northd.c
>> @@ -8414,6 +8414,16 @@ build_dhcpv4_options_flows(struct ovn_port *op,
>> meter_groups),
>> &op->nbsp->dhcpv4_options->header_,
>> lflow_ref);
>> + /* Add 34000 priority flow to allow DHCP request from the lport
>> + * if the CMS has enabled native DHCPv4 for this lport.
>> + * */
>> + ovn_lflow_add_with_lport_and_hint(lflows, op->od,
>> + S_SWITCH_IN_ACL_EVAL, 34000,
>> + ds_cstr(&match),
>> + REGBIT_ACL_VERDICT_ALLOW" =
>> 1; next;",
>> + op->key,
>> + &op->nbsp->header_,
>> + lflow_ref);
>> ds_clear(&match);
>>
>> /* If REGBIT_DHCP_OPTS_RESULT is set, it means the
>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>> index 6fdd761da..7657aefff 100644
>> --- a/tests/ovn-northd.at
>> +++ b/tests/ovn-northd.at
>> @@ -4897,6 +4897,11 @@ ovn-nbctl --wait=sb lsp-set-dhcpv4-options sw0-port1
>> $CIDR_UUID
>> ovn-sbctl dump-flows sw0 > sw0flows
>> AT_CAPTURE_FILE([sw0flows])
>>
>> +AT_CHECK([grep "_acl_eval" sw0flows | grep sw0-port1 | ovn_strip_lflows],
>> [0], [dnl
>> + table=??(ls_in_acl_eval ), priority=34000, match=(inport ==
>> "sw0-port1" && eth.src == 50:54:00:00:00:01 && (ip4.src == {10.0.0.2,
>> 0.0.0.0} && ip4.dst == {10.0.0.1, 255.255.255.255}) && udp.src == 68 &&
>> udp.dst == 67), action=(reg8[[16]] = 1; next;)
>> + table=??(ls_out_acl_eval ), priority=34000, match=(outport ==
>> "sw0-port1" && eth.src == c0:ff:ee:00:00:01 && ip4.src == 10.0.0.1 && udp &&
>> udp.src == 67 && udp.dst == 68), action=(reg8[[16]] = 1; next;)
>> +])
>> +
>> AT_CHECK([grep -w "ls_in_dhcp_options" sw0flows | ovn_strip_lflows], [0],
>> [dnl
>> table=??(ls_in_dhcp_options ), priority=0 , match=(1), action=(next;)
>> table=??(ls_in_dhcp_options ), priority=100 , match=(inport ==
>> "sw0-port1" && eth.src == 50:54:00:00:00:01 && (ip4.src == {10.0.0.2,
>> 0.0.0.0} && ip4.dst == {10.0.0.1, 255.255.255.255}) && udp.src == 68 &&
>> udp.dst == 67), action=(reg0[[3]] = put_dhcp_opts(offerip = 10.0.0.2,
>> hostname = "foo", lease_time = 3600, netmask = 255.255.255.0, router =
>> 10.0.0.1, server_id = 10.0.0.1); next;)
>> --
>> 2.42.0.windows.2
>>
>> _______________________________________________
>> dev mailing list
>> [email protected]
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
