Successfully find a better workaround to take advantage of delete_accepted_egress_direct_flow in _unbind_distributed_router_interface_port [1].
# eg: mac of the old snat-xxx port is fa:16:3e:7a:11:7d neutron router-interface-delete provider-router $(openstack subnet show private_subnet -cid -fvalue) # eg: mac of the new snat-xxx port is fa:16:3e:e6:f9:b2 neutron router-interface-add provider-router $(openstack subnet show private_subnet -cid -fvalue) openstack port list --device-owner network:router_centralized_snat The code path is: process_deleted_ports -> port_unbound -> unbind_port_from_dvr -> _unbind_centralized_snat_port_on_dvr_subnet -> delete_accepted_egress_direct_flow The egress direct flow for the old snat-xxx port won't disappear # ovs-ofctl dump-flows br-int |grep fa:16:3e:7a:11:7d |grep -E 'priority=12|priority=10' cookie=0x59874eed7c9fa42a, duration=76882.302s, table=94, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=12,reg6=0x1,dl_dst=fa:16:3e:7a:11:7d actions=output:16 cookie=0x59874eed7c9fa42a, duration=76882.302s, table=94, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=10,reg6=0x1,dl_src=fa:16:3e:7a:11:7d,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=mod_vlan_vid:1,output:2 but the egress direct flow won't produce as well # ovs-ofctl dump-flows br-int |grep 'fa:16:3e:e6:f9:b2' |grep -E 'priority=12|priority=10' So north-south traffic will resume to work again. # ip netns exec snat-10140acd-28e6-4110-ae67-76115b72b37c ping -c1 192.168.21.114 PING 192.168.21.114 (192.168.21.114) 56(84) bytes of data. 64 bytes from 192.168.21.114: icmp_seq=1 ttl=64 time=1.86 ms [1] https://review.opendev.org/c/openstack/neutron/+/704506/1/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_dvr_neutron_agent.py#678 ** Changed in: neutron Status: Triaged => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1948656 Title: toggling explicitly_egress_direct from true to false does not clean the openflow flows on the integration bridge Status in neutron: Invalid Bug description: As the comment [1] says, the following flows are not clearup after explicitly_egress_direct is toggled from true to false # ovs-ofctl dump-flows br-int |grep fa:16:3e:7a:11:7d |grep -E 'priority=12|priority=10' cookie=0x59874eed7c9fa42a, duration=1372.227s, table=94, n_packets=0, n_bytes=0, idle_age=2148, priority=12,reg6=0x1,dl_dst=fa:16:3e:7a:11:7d actions=output:16 cookie=0x59874eed7c9fa42a, duration=1372.227s, table=94, n_packets=0, n_bytes=0, idle_age=2148, priority=10,reg6=0x1,dl_src=fa:16:3e:7a:11:7d,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=mod_vlan_vid:1,output:2 There seems to be no way to trigger delete_accepted_egress_direct_flow [2] for above snat-xxx port (fa:16:3e:7a:11:7d). [1] https://bugs.launchpad.net/neutron/+bug/1945306/comments/9 [2] https://review.opendev.org/c/openstack/neutron/+/704506/1/neutron/agent/linux/openvswitch_firewall/firewall.py#1140 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1948656/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
