Commit 6b8dc71e authored by David Johnson's avatar David Johnson

Patch Neutron openvswitch plugin to allow anti-ARP spoof rules to persist.

SDN controllers think they're king, right?  Why should the admin be able
to insert custom rules?  Well, this is why.  Oh wait, it's just that I
don't have a northbound interface or whatever.  Let me just implement
one of those for this plugin instead!
parent 7ba7cf3c
--- /usr/lib/python2.7/dist-packages/neutron/agent/linux/ovs_lib.py~ 2015-07-29 15:12:40.000000000 -0600
+++ /usr/lib/python2.7/dist-packages/neutron/agent/linux/ovs_lib.py 2015-10-06 12:01:54.713134417 -0600
@@ -219,6 +219,23 @@
def remove_all_flows(self):
self.run_ofctl("del-flows", [])
+ system_def_flows_file = "/etc/neutron/ovs-default-flows/%s" % (self.br_name,)
+ import os.path
+ if os.path.exists(system_def_flows_file):
+ try:
+ f = file(system_def_flows_file)
+ lines = f.readlines()
+ for line in lines:
+ line = line.rstrip('\n')
+ self.run_ofctl("add-flow",[line,])
+ LOG.debug("added system default flow on %s: %s" % (self.br_name,line))
+ pass
+ pass
+ except:
+ LOG.error("Could not reinstall system default flows on bridge %s from file %s:\n%s\n" % (self.br_name,system_def_flows_file,traceback.format_exc(),))
+ pass
+ pass
+ pass
@_ofport_retry
def _get_port_ofport(self, port_name):
--- /usr/lib/python2.7/dist-packages/neutron/agent/common/ovs_lib.py~ 2015-07-29 15:12:40.000000000 -0600
+++ /usr/lib/python2.7/dist-packages/neutron/agent/common/ovs_lib.py 2015-10-06 12:01:54.713134417 -0600
@@ -219,6 +219,23 @@
def remove_all_flows(self):
self.run_ofctl("del-flows", [])
+ system_def_flows_file = "/etc/neutron/ovs-default-flows/%s" % (self.br_name,)
+ import os.path
+ if os.path.exists(system_def_flows_file):
+ try:
+ f = file(system_def_flows_file)
+ lines = f.readlines()
+ for line in lines:
+ line = line.rstrip('\n')
+ self.run_ofctl("add-flow",[line,])
+ LOG.debug("added system default flow on %s: %s" % (self.br_name,line))
+ pass
+ pass
+ except:
+ LOG.error("Could not reinstall system default flows on bridge %s from file %s:\n%s\n" % (self.br_name,system_def_flows_file,traceback.format_exc(),))
+ pass
+ pass
+ pass
@_ofport_retry
def _get_port_ofport(self, port_name):
......@@ -122,6 +122,29 @@ admin_username = neutron
admin_password = ${NEUTRON_PASS}
EOF
#
# Ok, also put our FQDN into the hosts file so that local applications can
# resolve that pair even if the network happens to be down. This happens,
# for instance, because of our anti-ARP spoofing "patch" to the openvswitch
# agent (the agent remove_all_flow()s on a switch periodically and inserts a
# default normal forwarding rule, plus anything it needs --- our patch adds some
# anti-ARP spoofing rules after remove_all but BEFORE the default normal rule
# gets added back (this is just the nature of the existing code in Juno and Kilo
# (the situation is easier to patch more nicely on the master branch, but we
# don't have Liberty yet)) --- and because it adds the rules via command line
# using sudo, and sudo tries to lookup the hostname --- this can cause a hang.)
# Argh, what a pain. For the rest of this hack, see setup-ovs-node.sh, and
# setup-networkmanager.sh and setup-compute-network.sh where we patch the
# neutron openvswitch agent.
#
echo "$MYIP $NFQDN $PFQDN" >> /etc/hosts
#
# Patch the neutron openvswitch agent to try to stop inadvertent spoofing on
# the public emulab/cloudlab control net, sigh.
#
patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-openvswitch-remove-all-flows-except-system-flows.patch
service openvswitch-switch restart
service nova-compute restart
service neutron-plugin-openvswitch-agent restart
......
......@@ -166,6 +166,29 @@ interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True
EOF
#
# Ok, also put our FQDN into the hosts file so that local applications can
# resolve that pair even if the network happens to be down. This happens,
# for instance, because of our anti-ARP spoofing "patch" to the openvswitch
# agent (the agent remove_all_flow()s on a switch periodically and inserts a
# default normal forwarding rule, plus anything it needs --- our patch adds some
# anti-ARP spoofing rules after remove_all but BEFORE the default normal rule
# gets added back (this is just the nature of the existing code in Juno and Kilo
# (the situation is easier to patch more nicely on the master branch, but we
# don't have Liberty yet)) --- and because it adds the rules via command line
# using sudo, and sudo tries to lookup the hostname --- this can cause a hang.)
# Argh, what a pain. For the rest of this hack, see setup-ovs-node.sh, and
# setup-networkmanager.sh and setup-compute-network.sh where we patch the
# neutron openvswitch agent.
#
echo "$MYIP $NFQDN $PFQDN" >> /etc/hosts
#
# Patch the neutron openvswitch agent to try to stop inadvertent spoofing on
# the public emulab/cloudlab control net, sigh.
#
patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-openvswitch-remove-all-flows-except-system-flows.patch
service openvswitch-switch restart
service neutron-plugin-openvswitch-agent restart
service neutron-l3-agent restart
......
......@@ -227,21 +227,37 @@ OURNET=`ip addr show br-ex | sed -n -e 's/.*inet \([0-9\.\/]*\) .*/\1/p'`
# Grab the port that corresponds to our
OURPORT=`ovs-ofctl show br-ex | sed -n -e "s/[ \t]*\([0-9]*\)(${EXTERNAL_NETWORK_INTERFACE}.*\$/\1/p"`
ovs-ofctl add-flow br-ex \
"dl_type=0x0806,nw_proto=0x2,arp_spa=${MYIP},actions=NORMAL"
#
# Ok, make the anti-ARP spoofing rules live, and also place them in the right
# place to be picked up by our neutron openvswitch agent so that when it
# remove_all_flows() it also installs our "system" defaults.
#
mkdir -p /etc/neutron/ovs-default-flows
FF=/etc/neutron/ovs-default-flows/br-ex
touch ${FF}
FLOW="dl_type=0x0806,nw_proto=0x2,arp_spa=${MYIP},actions=NORMAL"
ovs-ofctl add-flow br-ex "$FLOW"
echo "$FLOW" >> $FF
for addr in $PUBLICADDRS ; do
ovs-ofctl add-flow br-ex \
"dl_type=0x0806,nw_proto=0x2,arp_spa=${addr},actions=NORMAL"
FLOW="dl_type=0x0806,nw_proto=0x2,arp_spa=${addr},actions=NORMAL"
ovs-ofctl add-flow br-ex "$FLOW"
echo "$FLOW" >> $FF
done
# Allow any inbound ARP replies on the control network.
ovs-ofctl add-flow br-ex \
"dl_type=0x0806,nw_proto=0x2,arp_spa=${OURNET},in_port=${OURPORT},actions=NORMAL"
FLOW="dl_type=0x0806,nw_proto=0x2,arp_spa=${OURNET},in_port=${OURPORT},actions=NORMAL"
ovs-ofctl add-flow br-ex "$FLOW"
echo "$FLOW" >> $FF
# Drop any other control network addr ARP replies on the br-ex switch.
ovs-ofctl add-flow br-ex \
"dl_type=0x0806,nw_proto=0x2,arp_spa=${OURNET},actions=drop"
# Also, drop Emulab vnode control network addr ARP replies on br-ex!
ovs-ofctl add-flow br-ex \
"dl_type=0x0806,nw_proto=0x2,arp_spa=172.16.0.0/12,actions=drop"
FLOW="dl_type=0x0806,nw_proto=0x2,arp_spa=${OURNET},actions=drop"
ovs-ofctl add-flow br-ex "$FLOW"
echo "$FLOW" >> $FF
# Also, drop Emulab vnode control network addr ARP replies on br-ex!
FLOW="dl_type=0x0806,nw_proto=0x2,arp_spa=172.16.0.0/12,actions=drop"
ovs-ofctl add-flow br-ex "$FLOW"
echo "$FLOW" >> $FF
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment