From 14ee32940c87186d36b253773e1d73b5274349bf Mon Sep 17 00:00:00 2001 From: IWAMOTO Toshihiro Date: Wed, 19 Oct 2016 15:28:32 +0900 Subject: [PATCH] ovsfw: Add a dl_type match for action=ct flows Recently ovs has been changed to require a dl_type match for action=ct flows. Change-Id: I9040d8c50ee30f5daef7ea931a28cd0cf7855f3e Closes-bug: #1634757 --- .../linux/openvswitch_firewall/firewall.py | 62 ++++++++++--------- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index b3f54a7a630..48f08541605 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -483,14 +483,16 @@ class OVSFirewallDriver(firewall.FirewallDriver): ovsfw_consts.REG_PORT, ovs_consts.BASE_INGRESS_TABLE), ) - self._add_flow( - table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, - priority=90, - reg_port=port.ofport, - ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, - actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),normal'.format( - ovsfw_consts.REG_NET) - ) + for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]: + self._add_flow( + table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, + priority=90, + dl_type=ethertype, + reg_port=port.ofport, + ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, + actions='ct(commit,zone=NXM_NX_REG{:d}[0..15]),normal'.format( + ovsfw_consts.REG_NET) + ) self._add_flow( table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, priority=80, @@ -535,16 +537,18 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_NOT_ESTABLISHED, actions='drop' ) - self._add_flow( - table=ovs_consts.RULES_EGRESS_TABLE, - priority=40, - reg_port=port.ofport, - ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, - actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," - "exec(set_field:{:s}->ct_mark))".format( - ovsfw_consts.REG_NET, - ovsfw_consts.CT_MARK_INVALID) - ) + for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]: + self._add_flow( + table=ovs_consts.RULES_EGRESS_TABLE, + priority=40, + dl_type=ethertype, + reg_port=port.ofport, + ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, + actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," + "exec(set_field:{:s}->ct_mark))".format( + ovsfw_consts.REG_NET, + ovsfw_consts.CT_MARK_INVALID) + ) def _initialize_ingress_ipv6_icmp(self, port): for icmp_type in firewall.ICMPV6_ALLOWED_TYPES: @@ -644,16 +648,18 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=ovsfw_consts.OF_STATE_NOT_ESTABLISHED, actions='drop' ) - self._add_flow( - table=ovs_consts.RULES_INGRESS_TABLE, - priority=40, - reg_port=port.ofport, - ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, - actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," - "exec(set_field:{:s}->ct_mark))".format( - ovsfw_consts.REG_NET, - ovsfw_consts.CT_MARK_INVALID) - ) + for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]: + self._add_flow( + table=ovs_consts.RULES_INGRESS_TABLE, + priority=40, + dl_type=ethertype, + reg_port=port.ofport, + ct_state=ovsfw_consts.OF_STATE_ESTABLISHED, + actions="ct(commit,zone=NXM_NX_REG{:d}[0..15]," + "exec(set_field:{:s}->ct_mark))".format( + ovsfw_consts.REG_NET, + ovsfw_consts.CT_MARK_INVALID) + ) def add_flows_from_rules(self, port): self._initialize_tracked_ingress(port)