Reviewed: https://review.opendev.org/c/openstack/neutron/+/868058 Committed: https://opendev.org/openstack/neutron/commit/dad23fdcdb32e3b061642e3cafad6566fadc11c3 Submitter: "Zuul (22348)" Branch: master
commit dad23fdcdb32e3b061642e3cafad6566fadc11c3 Author: LIU Yulong <[email protected]> Date: Mon Dec 19 14:26:47 2022 +0800 Strictly delete arp_spoofing_protection flows Port arp_spoofing_protection will install flows like this: table=0, priority=9,in_port=2 actions=goto_table:25 table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60 For network ports or port_security_enabled = False, those flows will be delete by setup_arp_spoofing_protection in _bind_devices. But the delete actions are a bit rough because it will delete any flows with "table=0 in_port=2" and "table=25 in_port=2". Besides, the ovs_agent extension handle_port will be run before these actions [5]. So network or no security ports, if any flows added by agent extesnion in table=0 with "in_port=2" will be delete unexpectedly. Which also means any flows added before this call of "uninstall_flows(table=0, in_port=2)" will be deleted. This patch changes the uninstall flows to strict mode. Let it delete the arp_spoofing_protection related flows only by verifying the priority. Closes-Bug: #2000046 Change-Id: Ifdd47b2ce8610e4b4b527fc3279e0bd7a8b21a1d ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2000046 Title: [ml2][ovs] port flows Unexpectedly deleted by arp_spoofing_protection Status in neutron: Fix Released Bug description: Port arp_spoofing_protection will install flows like this: table=0, priority=9,in_port=2 actions=goto_table:25 table=25, priority=2,in_port=2,dl_src=fa:16:3e:54:f0:71 actions=goto_table:60 For network ports or port_security_enabled = False, those flows will be delete by setup_arp_spoofing_protection in _bind_devices [1][2][3][4]. Besides, the ovs_agent extension handle_port will be run before these actions [5]. So network or no security ports, if any flows added by agent extesnion in table=0 with "in_port=2" will be delete unexpectedly. Which also means any flows added before this call of "uninstall_flows(table=0, in_port=2)" will be deleted. [1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py#L385 [2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1300 [3] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1307 [4] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1241 [5] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L2038 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2000046/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
