Commit 733bace8 authored by David Johnson's avatar David Johnson

Use new OVS anti-spoofing mechanism for Mitaka and on.

Now the OVS openflow backends both support not touching flows with
reserved cookies, but don't give us a way to reserve cookies from
outside the agent.  So, hack in a quick "reservation", then replay the
br-ex flows tagged with the reserved cookie.  Cookies are unique per
physical node.
parent 147145e2
--- /usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/br_cookie.py~ 2016-08-29 12:09:29.000000000 -0600
+++ /usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/br_cookie.py 2016-10-27 16:29:22.185857224 -0600
@@ -15,6 +15,8 @@
from neutron.agent.common import ovs_lib
+import os
+import os.path
class OVSBridgeCookieMixin(object):
'''Mixin to provide cookie retention functionality
@@ -24,7 +26,19 @@
def __init__(self, *args, **kwargs):
super(OVSBridgeCookieMixin, self).__init__(*args, **kwargs)
self._reserved_cookies = set()
-
+ if not os.path.exists("/var/lib/neutron/ovs-default-flows.reserved_cookie"):
+ sc = self.request_cookie()
+ self._reserved_cookies.add(sc)
+ f = file("/var/lib/neutron/ovs-default-flows.reserved_cookie",'w')
+ f.write(str(sc))
+ f.close()
+ else:
+ f = file("/var/lib/neutron/ovs-default-flows.reserved_cookie",'r')
+ sc = int(f.read())
+ f.close()
+ self._reserved_cookies.add(sc)
+ pass
+
@property
def reserved_cookies(self):
if self._default_cookie not in self._reserved_cookies:
......@@ -177,7 +177,11 @@ echo "$MYIP $NFQDN $PFQDN" >> /etc/hosts
# Patch the neutron openvswitch agent to try to stop inadvertent spoofing on
# the public emulab/cloudlab control net, sigh.
#
patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-openvswitch-remove-all-flows-except-system-flows.patch
if [ $OSVERSION -le $OSLIBERTY ]; then
patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-openvswitch-remove-all-flows-except-system-flows.patch
else
patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-ovs-reserved-cookies.patch
fi
#
# https://git.openstack.org/cgit/openstack/neutron/commit/?id=51f6b2e1c9c2f5f5106b9ae8316e57750f09d7c9
......@@ -203,6 +207,28 @@ else
service_enable neutron-openvswitch-agent
fi
if [ $OSVERSION -gt $OSLIBERTY ]; then
# If we are using the reserved cookies patch, we have to figure out
# what our cookie is, read it, and then edit all the anti-spoofing
# flows to have our reserved cookie -- and then re-insert them all.
# We don't know what our per-host reserved cookie is until the
# patched ovs code creates one on the first startup after patch.
echo "*** Re-adding OVS anti-spoofing flows with reserved cookie..."
i=30
while [ ! -f /var/lib/neutron/ovs-default-flows.reserved_cookie -a $i -gt 0 ]; do
sleep 1
i=`expr $i - 1`
done
if [ -f /var/lib/neutron/ovs-default-flows.reserved_cookie -a -f /etc/neutron/ovs-default-flows/br-ex ]; then
cookie=`cat /var/lib/neutron/ovs-default-flows.reserved_cookie`
for fl in `cat /etc/neutron/ovs-default-flows/br-ex`; do
echo "cookie=$cookie,$fl" >> /etc/neutron/ovs-default-flows/br-ex.tmp
ovs-ofctl add-flow br-ex "cookie=$cookie,$fl"
done
mv /etc/neutron/ovs-default-flows/br-ex.tmp /etc/neutron/ovs-default-flows/br-ex
fi
fi
touch $OURDIR/setup-network-plugin-openvswitch-done
logtend "network-plugin-openvswitch"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment