Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Omit ACLs for nd || nd_ra || nd_rs || mldv1 || mldv2
When setting flows for LS, OVN distinguishes between two states: where there’s a stateful ACL present in its list (has_stateful == true *) and when it’s missing (all ACLs are stateless). When has_stateful == true, the following is done (among other things): - ct handling flows are set; - they are omitted by a higher priority flow for “service” protocols: NA, RA, MLD. The latter is done because of a known issue in kernel ct implementation for the protocols: * https://bugzilla.kernel.org/show_bug.cgi?id=11797 The assumption is that by default OVN allows all traffic unless explicitly forbidden, so omitting ct flows only avoids ct machinery but doesn't affect functional behavior of flow tables for the protocols. But if an ACL that forbids these protocols is configured, because of the ct omittance, this ACL is not in effect. (But only when has_stateful == true.) This behavior results in inconsistent and confusing behavior in OpenStack Neutron where (1) the default security group behavior is drop all IP traffic (achieved with default "drop" Port_Group); and (2) ports that have stateful and stateless ACLs configured can co-exist in the same network. In which case, depending on other "stateful" ports present in the network, "stateless" ports may or may not observe RA / NA / MLD traffic. Which affects their IPv6 address configuration. In this patch, I suggest that we don't make RA / NA / MLD behavior dependent on whether "stateful" ACLs are present. Instead, make the protocols always allowed, regardless of ACLs configured (whether stateful ACLs or ACLs that forbid packets of these protocols). Note: an argument can be made that the same "always-on" behavior should be guaranteed for ARP protocol that serves a similar goal in a IPv4 network as RA / NA do for IPv6 networks. This scenario is not directly related to the inconsistency between "purely stateless" and "mixed-stateful" networks and hence is left for a follow-up patch. Note: this patch carries a test case that utilizes scapy tool to construct packets for the protocols under test. A proper backport may demand backporting scapy related patches too. Reported-At: https://bugs.launchpad.net/neutron/+bug/2006949 Reported-At: https://bugzilla.redhat.com/show_bug.cgi?id=2149731 Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
- Loading branch information