openstack/neutron
Code Issues Proposed changes

Merge "Fix no ACCEPT event can get for security group logging"

Browse Source
This commit is contained in:
Zuul
2018-08-10 14:40:15 +00:00
committed by Gerrit Code Review
parent 4b6c3c5e4b ced78395a7
commit 10327e00c3
6 changed files with 65 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
doc/source/contributor/internals/openvswitch_firewall.rst
View File

@@ -207,25 +207,25 @@ solicitation and neighbour advertisement.
:: ::
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=NORMAL
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=resubmit(,91) table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=NORMAL
Following rules implement arp spoofing protection Following rules implement arp spoofing protection
:: ::
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=resubmit(,91) table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=NORMAL
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=resubmit(,91) table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=NORMAL
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=resubmit(,91) table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=NORMAL
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=resubmit(,91) table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=NORMAL
DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on
instances. instances.
@@ -288,10 +288,10 @@ allowed.
:: ::
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91) table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91) table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91) table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91) table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL
In the following flows are marked established connections that weren't matched In the following flows are marked established connections that weren't matched
in the previous flows, which means they don't have accepting security group in the previous flows, which means they don't have accepting security group
@@ -317,8 +317,8 @@ remaining egress connections are sent to normal switching.
table=73, priority=100,reg6=0x284,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],resubmit(,81) table=73, priority=100,reg6=0x284,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],resubmit(,81)
table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91) table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
table=73, priority=90,ct_state=+new-est,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91) table=73, priority=90,ct_state=+new-est,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
table=73, priority=80,reg5=0x1 actions=resubmit(,91) table=73, priority=80,reg5=0x1 actions=NORMAL
table=73, priority=80,reg5=0x2 actions=resubmit(,91) table=73, priority=80,reg5=0x2 actions=NORMAL
table=73, priority=0 actions=drop table=73, priority=0 actions=drop
``table 81`` is similar to ``table 71``, allows basic ingress traffic for ``table 81`` is similar to ``table 71``, allows basic ingress traffic for
@@ -328,22 +328,22 @@ port. Not tracked packets are sent to obtain conntrack information.
:: ::
table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1
table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1,resubmit(,92) table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2,resubmit(,92) table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2
table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
@@ -368,7 +368,7 @@ them.
table=82, priority=71,ct_state=+new-est,ip,reg6=0x284,nw_src=10.0.0.1 actions=conjunction(19,1/2) table=82, priority=71,ct_state=+new-est,ip,reg6=0x284,nw_src=10.0.0.1 actions=conjunction(19,1/2)
table=82, priority=71,ct_state=+est-rel-rpl,icmp,reg5=0x2 actions=conjunction(18,2/2) table=82, priority=71,ct_state=+est-rel-rpl,icmp,reg5=0x2 actions=conjunction(18,2/2)
table=82, priority=71,ct_state=+new-est,icmp,reg5=0x2 actions=conjunction(19,2/2) table=82, priority=71,ct_state=+new-est,icmp,reg5=0x2 actions=conjunction(19,2/2)
table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2
table=82, priority=71,conj_id=19,ct_state=+new-est,ip,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2,resubmit(,92) table=82, priority=71,conj_id=19,ct_state=+new-est,ip,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2,resubmit(,92)
table=82, priority=50,ct_state=+inv+trk actions=resubmit(,93) table=82, priority=50,ct_state=+inv+trk actions=resubmit(,93)
@@ -437,10 +437,10 @@ same as in ``table 72``.
table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=resubmit(,93) table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=resubmit(,93)
table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=resubmit(,93) table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=resubmit(,93)
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
table=82, priority=40,ct_state=-est,reg5=0x1 actions=resubmit(,93) table=82, priority=40,ct_state=-est,reg5=0x1 actions=resubmit(,93)
table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[])) table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
table=82, priority=40,ct_state=-est,reg5=0x2 actions=resubmit(,93) table=82, priority=40,ct_state=-est,reg5=0x2 actions=resubmit(,93)
@@ -468,6 +468,8 @@ receives copies of those packets and therefore default action is ``drop``.
Finally, packets sent to ``table 93`` were filtered by the firewall and should Finally, packets sent to ``table 93`` were filtered by the firewall and should
be dropped. Default action is ``drop`` in this table. be dropped. Default action is ``drop`` in this table.
In regard to the performance perspective, please note that only the first accepted
packet of each connection session will go to ``table 91`` and ``table 92``.
Future work Future work
----------- -----------

32
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@@ -709,8 +709,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
dl_type=constants.ETHERTYPE_IPV6, dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type, icmp_type=icmp_type,
actions='resubmit(,%d)' % ( actions='normal'
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
) )
def _initialize_egress_no_port_security(self, port_id): def _initialize_egress_no_port_security(self, port_id):
@@ -744,9 +743,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
priority=80, priority=80,
reg_port=ovs_port.ofport, reg_port=ovs_port.ofport,
actions='resubmit(,%d)' % ( actions='normal'
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
) )
def _remove_egress_no_port_security(self, port_id): def _remove_egress_no_port_security(self, port_id):
@@ -781,8 +778,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
dl_src=mac_addr, dl_src=mac_addr,
dl_type=constants.ETHERTYPE_ARP, dl_type=constants.ETHERTYPE_ARP,
arp_spa=ip_addr, arp_spa=ip_addr,
actions='resubmit(,%d)' % ( actions='normal'
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
) )
self._add_flow( self._add_flow(
table=ovs_consts.BASE_EGRESS_TABLE, table=ovs_consts.BASE_EGRESS_TABLE,
@@ -897,8 +893,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
priority=80, priority=80,
reg_port=port.ofport, reg_port=port.ofport,
actions='resubmit(,%d)' % ( actions='normal'
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
) )
def _initialize_tracked_egress(self, port): def _initialize_tracked_egress(self, port):
@@ -929,8 +924,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_mark=ovsfw_consts.CT_MARK_NORMAL, ct_mark=ovsfw_consts.CT_MARK_NORMAL,
reg_port=port.ofport, reg_port=port.ofport,
ct_zone=port.vlan_tag, ct_zone=port.vlan_tag,
actions='resubmit(,%d)' % ( actions='normal'
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
) )
self._add_flow( self._add_flow(
table=ovs_consts.RULES_EGRESS_TABLE, table=ovs_consts.RULES_EGRESS_TABLE,
@@ -961,9 +955,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
dl_type=constants.ETHERTYPE_IPV6, dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type, icmp_type=icmp_type,
actions='output:{:d},resubmit(,{:d})'.format( actions='output:{:d}'.format(port.ofport)
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
) )
def _initialize_ingress(self, port): def _initialize_ingress(self, port):
@@ -973,9 +965,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
priority=100, priority=100,
dl_type=constants.ETHERTYPE_ARP, dl_type=constants.ETHERTYPE_ARP,
reg_port=port.ofport, reg_port=port.ofport,
actions='output:{:d},resubmit(,{:d})'.format( actions='output:{:d}'.format(port.ofport)
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
) )
self._initialize_ingress_ipv6_icmp(port) self._initialize_ingress_ipv6_icmp(port)
@@ -991,9 +981,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
nw_proto=lib_const.PROTO_NUM_UDP, nw_proto=lib_const.PROTO_NUM_UDP,
tp_src=src_port, tp_src=src_port,
tp_dst=dst_port, tp_dst=dst_port,
actions='output:{:d},resubmit(,{:d})'.format( actions='output:{:d}'.format(port.ofport)
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
) )
# Track untracked # Track untracked
@@ -1043,9 +1031,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=state, ct_state=state,
ct_mark=ovsfw_consts.CT_MARK_NORMAL, ct_mark=ovsfw_consts.CT_MARK_NORMAL,
ct_zone=port.vlan_tag, ct_zone=port.vlan_tag,
actions='output:{:d},resubmit(,{:d})'.format( actions='output:{:d}'.format(port.ofport)
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
) )
self._add_flow( self._add_flow(
table=ovs_consts.RULES_INGRESS_TABLE, table=ovs_consts.RULES_INGRESS_TABLE,

11
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@@ -201,9 +201,7 @@ def populate_flow_common(direction, flow_template, port):
"""Initialize common flow fields.""" """Initialize common flow fields."""
if direction == n_consts.INGRESS_DIRECTION: if direction == n_consts.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format( flow_template['actions'] = "output:{:d}".format(port.ofport)
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
elif direction == n_consts.EGRESS_DIRECTION: elif direction == n_consts.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
# Traffic can be both ingress and egress, check that no ingress rules # Traffic can be both ingress and egress, check that no ingress rules
@@ -332,8 +330,11 @@ def create_accept_flows(flow):
flow['ct_state'] = CT_STATES[1] flow['ct_state'] = CT_STATES[1]
if flow['table'] == ovs_consts.RULES_INGRESS_TABLE: if flow['table'] == ovs_consts.RULES_INGRESS_TABLE:
flow['actions'] = ( flow['actions'] = (
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format( 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
ovsfw_consts.REG_NET, flow['actions'])) 'resubmit(,{:d})'.format(
ovsfw_consts.REG_NET, flow['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
)
result.append(flow) result.append(flow)
return result return result

3
neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
View File

@@ -332,8 +332,7 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
self.delete_port_flows_log(of_port_log, log_id) self.delete_port_flows_log(of_port_log, log_id)
def _log_accept_flow(self, **flow): def _log_accept_flow(self, **flow):
# log first packet # log first accepted packet
flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED
flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']] flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']]
flow['actions'] = 'controller' flow['actions'] = 'controller'
self._add_flow(**flow) self._add_flow(**flow)

13
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
View File

@@ -185,8 +185,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {'protocol': constants.PROTO_NUM_TCP} rule = {'protocol': constants.PROTO_NUM_TCP}
expected_flows = [{ expected_flows = [{
'table': ovs_consts.RULES_INGRESS_TABLE, 'table': ovs_consts.RULES_INGRESS_TABLE,
'actions': 'output:1,resubmit(,%d)' % ( 'actions': 'output:1',
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
'nw_proto': constants.PROTO_NUM_TCP, 'nw_proto': constants.PROTO_NUM_TCP,
}] }]
self._test_create_protocol_flows_helper( self._test_create_protocol_flows_helper(
@@ -392,12 +391,12 @@ class TestCreateConjFlows(base.BaseTestCase):
flows[0]['ct_state']) flows[0]['ct_state'])
self.assertEqual(ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, self.assertEqual(ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
flows[1]['ct_state']) flows[1]['ct_state'])
self.assertEqual("output:{:d},resubmit(,{:d})".format( self.assertEqual("output:{:d}".format(port.ofport),
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
flows[0]['actions']) flows[0]['actions'])
self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}".format( self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},"
ovsfw_consts.REG_NET, flows[0]['actions']), "resubmit(,{:d})".format(
ovsfw_consts.REG_NET, flows[0]['actions'],
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
flows[1]['actions']) flows[1]['actions'])
for f in flows: for f in flows:

5
neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
View File

@@ -18,7 +18,6 @@ from neutron_lib import constants
from oslo_config import cfg from oslo_config import cfg
from oslo_utils import uuidutils from oslo_utils import uuidutils
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.common import constants as n_const from neutron.common import constants as n_const
from neutron.objects.logapi import logging_resource as log_object from neutron.objects.logapi import logging_resource as log_object
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \ from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
@@ -174,7 +173,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
mock.call( mock.call(
actions='controller', actions='controller',
cookie=accept_cookie.id, cookie=accept_cookie.id,
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
reg5=self.port_ofport, reg5=self.port_ofport,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_TCP, nw_proto=constants.PROTO_NUM_TCP,
@@ -185,7 +183,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
mock.call( mock.call(
actions='controller', actions='controller',
cookie=accept_cookie.id, cookie=accept_cookie.id,
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
reg5=self.port_ofport, reg5=self.port_ofport,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6), dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6),
priority=70, priority=70,
@@ -195,7 +192,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
mock.call( mock.call(
actions='controller', actions='controller',
cookie=accept_cookie.id, cookie=accept_cookie.id,
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
reg5=self.port_ofport, reg5=self.port_ofport,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_UDP, nw_proto=constants.PROTO_NUM_UDP,
@@ -273,7 +269,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
mock.call( mock.call(
actions='controller', actions='controller',
cookie=accept_cookie.id, cookie=accept_cookie.id,
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
reg5=self.port_ofport, reg5=self.port_ofport,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_TCP, nw_proto=constants.PROTO_NUM_TCP,