Bug 1805709
Summary: | [OVN] MAC anti-spoof filtering still works if port_security is disabled | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Maciej Józefczyk <mjozefcz> | ||||||
Component: | ovn2.11 | Assignee: | Numan Siddique <nusiddiq> | ||||||
Status: | CLOSED ERRATA | QA Contact: | ying xu <yinxu> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | FDP 20.A | CC: | ctrautma, fhallal, kfida, nusiddiq, sathlang | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1816087 (view as bug list) | Environment: | |||||||
Last Closed: | 2020-04-14 14:29:49 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1816087 | ||||||||
Attachments: |
|
Description
Maciej Józefczyk
2020-02-21 12:32:19 UTC
I don't think this is a bug. OVN dhcp will only work if there's IP set in the addresses column. You need to append "unknown" to the logical port if you want to allow any mac address from/to the port and also clear the port_security column. Created attachment 1666925 [details]
patch-with-failing-ut
Created attachment 1667195 [details]
patch-with-failing-2-ut
*** Bug 1784807 has been marked as a duplicate of this bug. *** reproduced on version # rpm -qa|grep ovn ovn2.11-2.11.1-37.el7fdp.x86_64 ovn2.11-host-2.11.1-37.el7fdp.x86_64 ovn2.11-central-2.11.1-37.el7fdp.x86_64 server: # dhcp options local dhcp_102=$(ovn-nbctl create DHCP_Options cidr=42.42.42.0/24 \ options="\"server_id\"=\"42.42.42.254\" \"server_mac\"=\"00:de:ad:ff:01:02\" \ \"lease_time\"=\"3600\" \"router\"=\"42.42.42.254\"") echo $dhcp_102 ovn-nbctl ls-add ls ovn-nbctl lsp-add ls vm1 ovn-nbctl lsp-set-addresses vm1 "00:00:00:00:00:01 42.42.42.2" unknown rlRun "ovn-nbctl lsp-set-dhcpv4-options vm1 $dhcp_102" rlRun "ovn-nbctl lsp-get-dhcpv4-options vm1" ovn-nbctl lsp-add ls vm2 ovn-nbctl lsp-set-addresses vm2 "00:00:00:00:00:02 42.42.42.3" rlRun "ovn-nbctl lsp-set-dhcpv4-options vm2 $dhcp_102" rlRun "ovn-nbctl lsp-get-dhcpv4-options vm2" ip netns add vm1 ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal ip link set vm1 netns vm1 ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01 ip netns exec vm1 ip link set vm1 up ip netns exec vm1 ip link set lo up ovs-vsctl set Interface vm1 external_ids:iface-id=vm1 ip netns exec vm1 dhclient -i vm1 -v client: ip netns add vm2 ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal ip link set vm2 netns vm2 ip netns exec vm2 ip link set vm2 address 00:00:00:00:00:02 ip netns exec vm2 ip link set vm2 up ip netns exec vm2 ip link set lo up ovs-vsctl set Interface vm2 external_ids:iface-id=vm2 sync_set server $FUNCNAME sync_wait server $FUNCNAME pkill dhclient ip netns exec vm2 dhclient -v -i vm2 and then change the mac address of vm1 ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:03 ping vm1 from vm2: ip netns exec vm2 ping 42.42.42.2 PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data. --- 42.42.42.2 ping statistics --- 50 packets transmitted, 0 received, 100% packet loss, time 48999ms verified on version: # rpm -qa|grep ovn ovn2.11-2.11.1-38.el7fdp.x86_64 ovn2.11-host-2.11.1-38.el7fdp.x86_64 ovn2.11-central-2.11.1-38.el7fdp.x86_64 change the mac of vm1,and then ping from vm2 to vm1: ip netns exec vm2 ping 42.42.42.2 -c 50' PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data. 64 bytes from 42.42.42.2: icmp_seq=1 ttl=64 time=1.22 ms 64 bytes from 42.42.42.2: icmp_seq=2 ttl=64 time=0.254 ms 64 bytes from 42.42.42.2: icmp_seq=3 ttl=64 time=0.243 ms 64 bytes from 42.42.42.2: icmp_seq=4 ttl=64 time=0.225 ms 64 bytes from 42.42.42.2: icmp_seq=5 ttl=64 time=0.236 ms set verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1458 |