[Yahoo-eng-team] [Bug 1697593] [NEW] ovsfw issue for allowed_address_pairs

Mon, 12 Jun 2017 23:42:08 -0700 

Public bug reported:

port's allowed_address_pairs allow different IP and MAC set for port.

The current ovsfw implementation has this issue for allowed_address_pairs with 
different MAC with VM's MAC:
1. Packets with allowed_address_pairs' MAC and IP (different MAC with VM's MAC) 
cannot come out from VM because the table=72 OpenFlow only check dl_src=VM-MAC 
in br-int.
2. Cannot ping from outside to VM's allowed_address_pairs' MAC and IP 
(different MAC with VM's MAC)  because the table=0 OpenFlow only check 
dl_dst=VM-MAC.

We need to allow the situation that address_pairs with different MAC
with VM's MAC.

Suggest change:
1. Do not check dl_src in table=72 because table=72 has checked dl_src for 
Egress
2. Add all allowed MACs in table=0 and table=73 for Ingress
3. Check dl_dst and nw_dst in table=81 like table=71 do
4. Do not check dl_dst in table=82 because this check has done in table=0 and 
table=73

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1697593

Title:
  ovsfw issue for allowed_address_pairs

Status in neutron:
  New

Bug description:
  port's allowed_address_pairs allow different IP and MAC set for port.

  The current ovsfw implementation has this issue for allowed_address_pairs 
with different MAC with VM's MAC:
  1. Packets with allowed_address_pairs' MAC and IP (different MAC with VM's 
MAC) cannot come out from VM because the table=72 OpenFlow only check 
dl_src=VM-MAC in br-int.
  2. Cannot ping from outside to VM's allowed_address_pairs' MAC and IP 
(different MAC with VM's MAC)  because the table=0 OpenFlow only check 
dl_dst=VM-MAC.

  We need to allow the situation that address_pairs with different MAC
  with VM's MAC.

  Suggest change:
  1. Do not check dl_src in table=72 because table=72 has checked dl_src for 
Egress
  2. Add all allowed MACs in table=0 and table=73 for Ingress
  3. Check dl_dst and nw_dst in table=81 like table=71 do
  4. Do not check dl_dst in table=82 because this check has done in table=0 and 
table=73

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1697593/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to