Merge "Add table for pps limitaion"

This commit is contained in:
Zuul 2022-02-17 18:49:21 +00:00 committed by Gerrit Code Review
commit ce96e502fa
5 changed files with 39 additions and 22 deletions

View File

@ -208,9 +208,11 @@ the second security group. Ports have following attributes:
Port 3 Port 3
- patch bridge port (e.g. patch-tun) in OVS bridge - patch bridge port (e.g. patch-tun) in OVS bridge
|table_0| contains a low priority rule to continue packets processing in |table_0| - |table_59| contain some low priority rules to continue packets
|table_60| aka TRANSIENT table. |table_0| is left for use to other processing in |table_60| aka TRANSIENT table. |table_0| - |table_59| is
features that take precedence over firewall, e.g. DVR. The only requirement is left for use to other features that take precedence over firewall, e.g.
DVR, ARP poison/spoofing prevention, MAC spoof filtering and packet rate
limitation etc. The only requirement is
that after such a feature is done with its processing, it needs to pass packets that after such a feature is done with its processing, it needs to pass packets
for processing to the TRANSIENT table. This TRANSIENT table distinguishes the for processing to the TRANSIENT table. This TRANSIENT table distinguishes the
ingress traffic from the egress traffic and loads into ``register 5`` a value ingress traffic from the egress traffic and loads into ``register 5`` a value
@ -592,6 +594,7 @@ switched to the OVS driver.
not work if one tries to replace openvswitch firewall with iptables. not work if one tries to replace openvswitch firewall with iptables.
.. |table_0| replace:: ``table 0`` (LOCAL_SWITCHING) .. |table_0| replace:: ``table 0`` (LOCAL_SWITCHING)
.. |table_59| replace:: ``table 59`` (PACKET_RATE_LIMIT)
.. |table_60| replace:: ``table 60`` (TRANSIENT) .. |table_60| replace:: ``table 60`` (TRANSIENT)
.. |table_71| replace:: ``table 71`` (BASE_EGRESS) .. |table_71| replace:: ``table 71`` (BASE_EGRESS)
.. |table_72| replace:: ``table 72`` (RULES_EGRESS) .. |table_72| replace:: ``table 72`` (RULES_EGRESS)

View File

@ -60,6 +60,8 @@ MAC_SPOOF_TABLE = 25
LOCAL_EGRESS_TABLE = 30 LOCAL_EGRESS_TABLE = 30
LOCAL_IP_TABLE = 31 LOCAL_IP_TABLE = 31
# packet rate limit table
PACKET_RATE_LIMIT = 59
# Table to decide whether further filtering is needed # Table to decide whether further filtering is needed
TRANSIENT_TABLE = 60 TRANSIENT_TABLE = 60
LOCAL_MAC_DIRECT = 61 LOCAL_MAC_DIRECT = 61
@ -100,6 +102,7 @@ INT_BR_ALL_TABLES = (
LOCAL_MAC_DIRECT, LOCAL_MAC_DIRECT,
LOCAL_EGRESS_TABLE, LOCAL_EGRESS_TABLE,
LOCAL_IP_TABLE, LOCAL_IP_TABLE,
PACKET_RATE_LIMIT,
TRANSIENT_TABLE, TRANSIENT_TABLE,
TRANSIENT_EGRESS_TABLE, TRANSIENT_EGRESS_TABLE,
BASE_EGRESS_TABLE, BASE_EGRESS_TABLE,

View File

@ -53,7 +53,7 @@ class OVSDVRInterfaceMixin(object):
] ]
instructions = [ instructions = [
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions), ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions),
ofpp.OFPInstructionGotoTable(table_id=constants.TRANSIENT_TABLE)] ofpp.OFPInstructionGotoTable(table_id=constants.PACKET_RATE_LIMIT)]
self.install_instructions(table_id=constants.LOCAL_SWITCHING, self.install_instructions(table_id=constants.LOCAL_SWITCHING,
priority=99, priority=99,

View File

@ -53,7 +53,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
enable_dhcpv6=False): enable_dhcpv6=False):
(_dp, ofp, ofpp) = self._get_dp() (_dp, ofp, ofpp) = self._get_dp()
self.setup_canary_table() self.setup_canary_table()
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE) self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT)
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE,
table_id=constants.PACKET_RATE_LIMIT)
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3) self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp, self.init_dhcp(enable_openflow_dhcp=enable_openflow_dhcp,
enable_dhcpv6=enable_dhcpv6) enable_dhcpv6=enable_dhcpv6)
@ -69,9 +71,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
priority=3) priority=3)
# Local IP defaults # Local IP defaults
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE, self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT,
table_id=constants.LOCAL_EGRESS_TABLE) table_id=constants.LOCAL_EGRESS_TABLE)
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE, self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT,
table_id=constants.LOCAL_IP_TABLE) table_id=constants.LOCAL_IP_TABLE)
def init_dhcp(self, enable_openflow_dhcp=False, enable_dhcpv6=False): def init_dhcp(self, enable_openflow_dhcp=False, enable_dhcpv6=False):
@ -184,7 +186,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
] ]
instructions = [ instructions = [
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions), ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions),
ofpp.OFPInstructionGotoTable(table_id=constants.TRANSIENT_TABLE), ofpp.OFPInstructionGotoTable(table_id=constants.PACKET_RATE_LIMIT),
] ]
self.install_instructions( self.install_instructions(
instructions=instructions, instructions=instructions,
@ -265,7 +267,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
] ]
instructions = [ instructions = [
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions), ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, actions),
ofpp.OFPInstructionGotoTable(table_id=constants.TRANSIENT_TABLE), ofpp.OFPInstructionGotoTable(table_id=constants.PACKET_RATE_LIMIT),
] ]
self.install_instructions(table_id=table_id, self.install_instructions(table_id=table_id,
priority=20, priority=20,
@ -366,7 +368,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
ip_proto=in_proto.IPPROTO_ICMPV6, ip_proto=in_proto.IPPROTO_ICMPV6,
icmpv6_type=icmpv6.ND_NEIGHBOR_ADVERT, icmpv6_type=icmpv6.ND_NEIGHBOR_ADVERT,
ipv6_nd_target=masked_ip, in_port=port, ipv6_nd_target=masked_ip, in_port=port,
dest_table_id=constants.TRANSIENT_TABLE) dest_table_id=constants.PACKET_RATE_LIMIT)
# Now that the rules are ready, direct icmpv6 neighbor advertisement # Now that the rules are ready, direct icmpv6 neighbor advertisement
# traffic from the port into the anti-spoof table. # traffic from the port into the anti-spoof table.
@ -522,7 +524,7 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge,
def install_garp_blocker_exception(self, vlan, ip, except_ip, def install_garp_blocker_exception(self, vlan, ip, except_ip,
table_id=constants.LOCAL_SWITCHING): table_id=constants.LOCAL_SWITCHING):
match = self._garp_blocker_exception_match(vlan, ip, except_ip) match = self._garp_blocker_exception_match(vlan, ip, except_ip)
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE, self.install_goto(dest_table_id=constants.PACKET_RATE_LIMIT,
table_id=table_id, table_id=table_id,
priority=11, priority=11,
match=match) match=match)

View File

@ -47,12 +47,21 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call._send_msg(ofpp.OFPFlowMod(dp, call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch(), match=ofpp.OFPMatch(),
priority=0, priority=0,
table_id=0), table_id=0),
active_bundle=None), active_bundle=None),
call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp,
instructions=[
ofpp.OFPInstructionGotoTable(table_id=60),
],
match=ofpp.OFPMatch(),
priority=0,
table_id=59),
active_bundle=None),
call._send_msg(ofpp.OFPFlowMod(dp, call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp, cookie=self.stamp,
instructions=[ instructions=[
@ -130,7 +139,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call._send_msg(ofpp.OFPFlowMod( call._send_msg(ofpp.OFPFlowMod(
dp, cookie=self.stamp, dp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch(), match=ofpp.OFPMatch(),
priority=0, priority=0,
@ -139,7 +148,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call._send_msg(ofpp.OFPFlowMod( call._send_msg(ofpp.OFPFlowMod(
dp, cookie=self.stamp, dp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch(), match=ofpp.OFPMatch(),
priority=0, priority=0,
@ -163,7 +172,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
ofpp.OFPActionSetField( ofpp.OFPActionSetField(
vlan_vid=lvid | ofp.OFPVID_PRESENT), vlan_vid=lvid | ofp.OFPVID_PRESENT),
]), ]),
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
in_port=port, in_port=port,
@ -190,7 +199,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
ofpp.OFPActionSetField( ofpp.OFPActionSetField(
vlan_vid=lvid | ofp.OFPVID_PRESENT), vlan_vid=lvid | ofp.OFPVID_PRESENT),
]), ]),
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
in_port=port, in_port=port,
@ -246,7 +255,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [ ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [
ofpp.OFPActionSetField(eth_src=gateway_mac), ofpp.OFPActionSetField(eth_src=gateway_mac),
]), ]),
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
eth_dst=dst_mac, eth_dst=dst_mac,
@ -316,7 +325,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [ ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [
ofpp.OFPActionSetField(eth_src=gateway_mac), ofpp.OFPActionSetField(eth_src=gateway_mac),
]), ]),
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
eth_dst=dst_mac, eth_dst=dst_mac,
@ -359,7 +368,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [ ofpp.OFPInstructionActions(ofp.OFPIT_APPLY_ACTIONS, [
ofpp.OFPActionSetField(eth_src=gateway_mac), ofpp.OFPActionSetField(eth_src=gateway_mac),
]), ]),
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
eth_dst=dst_mac, eth_dst=dst_mac,
@ -502,7 +511,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call._send_msg(ofpp.OFPFlowMod(dp, call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
eth_type=self.ether_types.ETH_TYPE_IPV6, eth_type=self.ether_types.ETH_TYPE_IPV6,
@ -517,7 +526,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
call._send_msg(ofpp.OFPFlowMod(dp, call._send_msg(ofpp.OFPFlowMod(dp,
cookie=self.stamp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60), ofpp.OFPInstructionGotoTable(table_id=59),
], ],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
eth_type=self.ether_types.ETH_TYPE_IPV6, eth_type=self.ether_types.ETH_TYPE_IPV6,
@ -768,7 +777,7 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
expected = [ expected = [
call._send_msg(ofpp.OFPFlowMod(dp, cookie=self.stamp, call._send_msg(ofpp.OFPFlowMod(dp, cookie=self.stamp,
instructions=[ instructions=[
ofpp.OFPInstructionGotoTable(table_id=60)], ofpp.OFPInstructionGotoTable(table_id=59)],
match=ofpp.OFPMatch( match=ofpp.OFPMatch(
vlan_vid=vlan | ofp.OFPVID_PRESENT, vlan_vid=vlan | ofp.OFPVID_PRESENT,
eth_type=self.ether_types.ETH_TYPE_ARP, eth_type=self.ether_types.ETH_TYPE_ARP,