Merge pull request #293 from stackhpc/upstream/2026.1-2026-06-08

Synchronise 2026.1 with upstream

This PR contains a snapshot of 2026.1 from upstream stable/2026.1.

Reviewed-by: Michał Nasiadka

Author: stackhpc-zuul[bot]

neutron/agent/linux/openvswitch_firewall/firewall.py

@@ -557,6 +557,7 @@ def __init__(self, integration_bridge):
         self._initialize_sg()
         self._update_cookie = None
         self._deferred = False
+        self._ports_pending_invalid_ct_cleanup = []
         self.iptables_helper = iptables.Helper(self.int_br.br)
         self.iptables_helper.load_driver_if_needed()
         self.ipconntrack = ip_conntrack.OvsIpConntrackManager()
@@ -702,11 +703,22 @@ def _get_port_physical_network(self, port_name):
         return get_physical_network_from_other_config(
             self.int_br.br, port_name)
 
-    def _delete_invalid_conntrack_entries_for_port(self, port, of_port):
-        port['of_port'] = of_port
+    def _delete_invalid_conntrack_entries_for_port(self, ports):
         for ethertype in [lib_const.IPv4, lib_const.IPv6]:
             self.ipconntrack.delete_conntrack_state_by_remote_ips(
-                [port], ethertype, set(), mark=ovsfw_consts.CT_MARK_INVALID)
+                ports, ethertype, set(), mark=ovsfw_consts.CT_MARK_INVALID)
+
+    def _schedule_invalid_conntrack_entries_cleanup(self, port):
+        if self._deferred:
+            self._ports_pending_invalid_ct_cleanup.append(port)
+        else:
+            self._delete_invalid_conntrack_entries_for_port([port])
+
+    def _flush_pending_invalid_conntrack_cleanup(self):
+        self._delete_invalid_conntrack_entries_for_port(
+            self._ports_pending_invalid_ct_cleanup
+        )
+        self._ports_pending_invalid_ct_cleanup = []
 
     def get_ofport(self, port):
         port_id = port['device']
@@ -768,7 +780,8 @@ def prepare_port_filter(self, port):
                 self._update_flows_for_port(of_port, old_of_port)
             else:
                 self._set_port_filters(of_port)
-            self._delete_invalid_conntrack_entries_for_port(port, of_port)
+            port['of_port'] = of_port
+            self._schedule_invalid_conntrack_entries_cleanup(port)
         except exceptions.OVSFWPortNotFound as not_found_error:
             LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
                      {'port_id': port['device'],
@@ -808,7 +821,8 @@ def update_port_filter(self, port):
             else:
                 self._set_port_filters(of_port)
 
-            self._delete_invalid_conntrack_entries_for_port(port, of_port)
+            port['of_port'] = of_port
+            self._schedule_invalid_conntrack_entries_cleanup(port)
 
         except exceptions.OVSFWPortNotFound as not_found_error:
             LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
@@ -897,11 +911,13 @@ def remove_trusted_ports(self, port_ids):
 
     def filter_defer_apply_on(self):
         self._deferred = True
+        self._ports_pending_invalid_ct_cleanup = []
 
     def filter_defer_apply_off(self):
         if self._deferred:
             self._cleanup_stale_sg()
             self.int_br.apply_flows()
+            self._flush_pending_invalid_conntrack_cleanup()
             self._deferred = False
 
     @property

neutron/agent/ovn/metadata/agent.py

@@ -629,6 +629,11 @@ def _get_port_ip4_ips_and_ip6_flag(self, port):
             LOG.warning("Port %s MAC column is empty, cannot retrieve IP "
                         "addresses", port.uuid)
             return [], False
+        if port.mac == [ovn_const.UNKNOWN_ADDR]:
+            LOG.warning("Port %s MAC column value is %s, this port will "
+                        "not have metadata service", port.uuid, port.mac)
+            return [], False
+
         mac, ips = ovn_utils.get_mac_and_ips_from_port_binding(port)
         if not ips:
             LOG.debug("Port %s IP addresses were not retrieved from the "

neutron/plugins/ml2/extensions/dns_integration.py

@@ -351,35 +351,42 @@ class DNSExtensionDriverML2(DNSExtensionDriver):
     def __init__(self):
         super().__init__()
         self._vlan_driver = None
+        self._tunnel_drivers = {}
         self._plugin = None
 
     def initialize(self):
         LOG.info("DNSExtensionDriverML2 initialization complete")
 
+    @property
+    def plugin(self):
+        if not self._plugin:
+            self._plugin = directory.get_plugin()
+        return self._plugin
+
     @property
     def vlan_driver(self):
         if not self._vlan_driver:
-            if not self._plugin:
-                self._plugin = directory.get_plugin()
-            self._vlan_driver = self._plugin.type_manager.drivers.get(
+            self._vlan_driver = self.plugin.type_manager.drivers.get(
                 lib_const.TYPE_VLAN)
         return self._vlan_driver
 
-    def _is_tunnel_project_network(self, provider_net):
-        if provider_net['network_type'] == lib_const.TYPE_GENEVE:
-            tunnel_ranges = cfg.CONF.ml2_type_geneve.vni_ranges
-        elif provider_net['network_type'] == lib_const.TYPE_VXLAN:
-            tunnel_ranges = cfg.CONF.ml2_type_vxlan.vni_ranges
-        else:
-            tunnel_ranges = cfg.CONF.ml2_type_gre.tunnel_id_ranges
+    def get_tunnel_driver(self, network_type):
+        if network_type not in self._tunnel_drivers:
+            self._tunnel_drivers[network_type] = (
+                self.plugin.type_manager.drivers.get(network_type))
+        return self._tunnel_drivers[network_type]
 
+    def _is_tunnel_project_network(self, provider_net):
+        network_type = provider_net['network_type']
+        tunnel_driver = self.get_tunnel_driver(network_type)
+        if not tunnel_driver:
+            return False
+        tunnel_ranges = tunnel_driver.obj.get_network_segment_ranges()
+        if not tunnel_ranges:
+            return False
         segmentation_id = int(provider_net['segmentation_id'])
-        for entry in tunnel_ranges:
-            entry = entry.strip()
-            tun_min, tun_max = entry.split(':')
-            tun_min = tun_min.strip()
-            tun_max = tun_max.strip()
-            return int(tun_min) <= segmentation_id <= int(tun_max)
+        return any(tun_min <= segmentation_id <= tun_max
+                   for tun_min, tun_max in tunnel_ranges)
 
     def _is_vlan_project_network(self, provider_net):
         if not self.vlan_driver:

neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

@@ -1032,15 +1032,23 @@ def test_update_port_filter_port_security_disabled(self):
         self.assertTrue(self.mock_bridge.br.delete_flows.called)
         self.delete_invalid_conntrack_entries_mock.assert_not_called()
 
-    def test_update_port_filter_applies_added_flows(self):
-        """Check flows are applied right after _set_flows is called."""
+    def test_update_port_filter_applies_added_flows_and_clean_conntrack(self):
+        """Check flows are applied right after _set_flows is called.
+
+        Additionally this test checks also if conntrack entries marked as
+        CT_MARK_INVALID are cleaned once after new flows are set.
+        """
+
         port_dict = {'device': 'port-id',
                      'security_groups': [1]}
         self._prepare_security_group()
         self.firewall.prepare_port_filter(port_dict)
+        self.delete_invalid_conntrack_entries_mock.reset_mock()
         with self.firewall.defer_apply():
             self.firewall.update_port_filter(port_dict)
+            self.delete_invalid_conntrack_entries_mock.assert_not_called()
         self.mock_bridge.apply_flows.assert_called_once()
+        self._assert_invalid_conntrack_entries_deleted(port_dict)
 
     def test_update_port_filter_clean_when_port_not_found(self):
         """Check flows are cleaned if port is not found in the bridge."""

neutron/tests/unit/agent/ovn/metadata/test_agent.py

@@ -483,6 +483,36 @@ def test__get_provision_params_returns_provision_parameters_ipv6(self):
         self._test__get_provision_params_returns_provision_parameters(
             'fe80::f816:3eff:feb6:c0c0')
 
+    def test__get_provision_params_skips_port_with_unknown_mac(self):
+        """Should skip ports with mac=['unknown'] and return valid ports."""
+        network_id = '1'
+        datapath = DatapathInfo(uuid='test123',
+                                external_ids={'name': f'neutron-{network_id}'})
+        valid_port = makePort(datapath,
+                              mac=['fa:16:3e:e7:ac:ab 1.2.3.4'])
+        unknown_mac_port = mock.Mock()
+        unknown_mac_port.type = ''
+        unknown_mac_port.mac = [ovn_const.UNKNOWN_ADDR]
+        unknown_mac_port.datapath = datapath
+        unknown_mac_port.uuid = 'fake-uuid'
+        metadadata_port = makePort(
+            datapath,
+            mac=['fa:16:3e:22:65:18 10.204.0.1'],
+            external_ids={'neutron:cidrs': '10.204.0.10/29'},
+            logical_port='3b66c176-199b-48ec-8331-c1fd3f6e2b44')
+
+        with mock.patch.object(self.agent.sb_idl, 'get_metadata_port',
+                               return_value=metadadata_port),\
+            mock.patch.object(self.agent.sb_idl, 'get_ports_on_chassis',
+                              return_value=[valid_port, unknown_mac_port]):
+            actual_params = self.agent._get_provision_params(datapath)
+
+        net_name, datapath_port_ips, any_ip6, metadata_port_info = (
+            actual_params)
+        self.assertEqual(network_id, net_name)
+        self.assertListEqual(['1.2.3.4'], datapath_port_ips)
+        self.assertFalse(any_ip6)
+
     def test__get_port_ip4_ips_and_ip6_flag_empty_mac(self):
         """Should return empty IPs for ports with empty MAC column."""
         port = mock.Mock()
@@ -492,6 +522,15 @@ def test__get_port_ip4_ips_and_ip6_flag_empty_mac(self):
         self.assertEqual([], ip4_ips)
         self.assertFalse(any_ip6)
 
+    def test__get_port_ip4_ips_and_ip6_flag_unknown_mac(self):
+        """Should return empty IPs for ports with mac=['unknown']."""
+        port = mock.Mock()
+        port.mac = [ovn_const.UNKNOWN_ADDR]
+        port.uuid = 'fake-uuid'
+        ip4_ips, any_ip6 = self.agent._get_port_ip4_ips_and_ip6_flag(port)
+        self.assertEqual([], ip4_ips)
+        self.assertFalse(any_ip6)
+
     def _test_provision_datapath(self, ipv6_enabled):
         """Test datapath provisioning.
 

neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py

@@ -864,6 +864,86 @@ def test__is_vlan_project_network_no_vlan_driver(self):
         }
         self.assertFalse(self.driver._is_vlan_project_network(provider_net))
 
+    def _mock_tunnel_driver(self, network_type, ranges):
+        mock_tunnel_driver = mock.Mock()
+        mock_tunnel_driver.obj.get_network_segment_ranges.return_value = ranges
+        return mock.patch.object(
+            self.driver, 'get_tunnel_driver',
+            return_value=mock_tunnel_driver)
+
+    def test__is_tunnel_project_network_with_multiple_ranges(self):
+        with self._mock_tunnel_driver(
+                constants.TYPE_VXLAN, [(100, 200), (300, 400)]):
+            provider_net_in_range = {
+                'network_type': constants.TYPE_VXLAN,
+                'segmentation_id': 150,
+            }
+            self.assertTrue(
+                self.driver._is_tunnel_project_network(provider_net_in_range))
+
+            provider_net_between_ranges = {
+                'network_type': constants.TYPE_VXLAN,
+                'segmentation_id': 250,
+            }
+            self.assertFalse(self.driver._is_tunnel_project_network(
+                provider_net_between_ranges))
+
+            provider_net_second_range = {
+                'network_type': constants.TYPE_VXLAN,
+                'segmentation_id': 350,
+            }
+            self.assertTrue(self.driver._is_tunnel_project_network(
+                provider_net_second_range))
+
+    def test__is_tunnel_project_network_boundary_values(self):
+        with self._mock_tunnel_driver(constants.TYPE_GENEVE, [(100, 200)]):
+            provider_net_min = {
+                'network_type': constants.TYPE_GENEVE,
+                'segmentation_id': 100,
+            }
+            self.assertTrue(
+                self.driver._is_tunnel_project_network(provider_net_min))
+
+            provider_net_max = {
+                'network_type': constants.TYPE_GENEVE,
+                'segmentation_id': 200,
+            }
+            self.assertTrue(
+                self.driver._is_tunnel_project_network(provider_net_max))
+
+            provider_net_below = {
+                'network_type': constants.TYPE_GENEVE,
+                'segmentation_id': 99,
+            }
+            self.assertFalse(
+                self.driver._is_tunnel_project_network(provider_net_below))
+
+            provider_net_above = {
+                'network_type': constants.TYPE_GENEVE,
+                'segmentation_id': 201,
+            }
+            self.assertFalse(
+                self.driver._is_tunnel_project_network(provider_net_above))
+
+    def test__is_tunnel_project_network_empty_ranges(self):
+        with self._mock_tunnel_driver(constants.TYPE_GRE, []):
+            provider_net = {
+                'network_type': constants.TYPE_GRE,
+                'segmentation_id': 100,
+            }
+            self.assertFalse(
+                self.driver._is_tunnel_project_network(provider_net))
+
+    def test__is_tunnel_project_network_no_tunnel_driver(self):
+        with mock.patch.object(
+                self.driver, 'get_tunnel_driver', return_value=None):
+            provider_net = {
+                'network_type': constants.TYPE_VXLAN,
+                'segmentation_id': 100,
+            }
+            self.assertFalse(
+                self.driver._is_tunnel_project_network(provider_net))
+
 
 class TestDesignateClientKeystoneV3(testtools.TestCase):
     """Test case for designate clients """