Reviewed: https://review.openstack.org/385085 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6370a0471076ccb095a90f97ffc869ae7ea2e5ed Submitter: Jenkins Branch: master
commit 6370a0471076ccb095a90f97ffc869ae7ea2e5ed Author: Jakub Libosvar <[email protected]> Date: Tue Jun 13 12:07:28 2017 +0000 ovsfw: Fix overlapping MAC addresses on integration bridge The patch relies on the fact that traffic not going from instance (and thus port not managed by firewall) is tagged. Traffic coming from the instance is not tagged and thus net register is used for marking such traffic. These two approaches make matching rules unique even if two ports from different networks share its' mac addressess. Traffic coming from trusted ports is marked with network in registry so firewall can decide later to which network traffic belongs. Closes-bug: #1626010 Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1626010 Title: OVS Firewall cannot handle non unique MACs Status in neutron: Fix Released Bug description: It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this: openstack network create net0 openstack network create net1 openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0 openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1 openstack port create --network net0 port0 parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )" openstack port create --network net1 --mac-address "$parent_mac" port1 openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0 openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0 Then all packets are lost on the trunk's parent port: $ openstack server show vm0 | egrep addresses.*net0 | addresses | net0=10.0.4.6 | $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6 WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data. --- 10.0.4.6 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms If I change the firewall_driver to noop and redo the same I have connectivity. If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity. devstack version: 81d89cf neutron version: 60010a8 relevant parts of local.conf: [[local|localrc]] enable_service neutron-api enable_service neutron-l3 enable_service neutron-agent enable_service neutron-dhcp enable_service neutron-metadata-agent [[post-config|$NEUTRON_CONF]] [DEFAULT] service_plugins = router,trunk [[post-config|$NEUTRON_PLUGIN_CONF]] [securitygroup] firewall_driver = openvswitch To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1626010/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
