Public bug reported: ENV: stable/queens & master
This is a long story long time ago [1] [2] [3]. But we recently meet such issue, when dvr router is connected to two different vlan networks, the east-west traffic is not reachable. # ovs-ofctl show br-int 1(int-br-ex): addr:22:32:17:d4:08:6a 2(int-br-vlan): addr:76:ed:47:bf:21:ec 3(patch-tun): addr:9a:56:bf:23:ac:37 ... ... 255(tap321a4669-c2): addr:fe:16:3e:93:31:67 LOCAL(br-int): addr:7a:ae:b6:87:7b:4d # ovs-ofctl dump-flows br-int # this will be applied aways, since it has higher priority, fa:16:3f:93:05:7d is the dvr host mac from request VM's hypervisor cookie=0xb27e128dd9a83dfc, duration=6408639.091s, table=0, n_packets=22187, n_bytes=30725358, idle_age=860, hard_age=65534, priority=4,in_port=2,dl_src=fa:16:3f:93:05:7d actions=resubmit(,2) # this will not get matched cookie=0xb27e128dd9a83dfc, duration=116506.106s, table=0, n_packets=60698, n_bytes=80563747, idle_age=825, hard_age=65534, priority=3,in_port=2,dl_vlan=587 actions=mod_vlan_vid:45,resubmit(,60) cookie=0xb27e128dd9a83dfc, duration=167233.168s, table=2, n_packets=22177, n_bytes=30724518, idle_age=51621, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=mod_dl_src:fa:16:3e:ca:bf:28,resubmit(,60) cookie=0xb27e128dd9a83dfc, duration=167719.120s, table=60, n_packets=22257, n_bytes=30732678, idle_age=4, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=strip_vlan,output:255 Since the request packet never go into conntrack table, so the reply packets will be dropped. [1] https://specs.openstack.org/openstack/neutron-specs/specs/kilo/neutron-ovs-dvr-vlan.html [2] https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan [3] https://review.opendev.org/#/q/topic:bp/neutron-ovs-dvr-vlan ** Affects: neutron Importance: High Status: Confirmed ** Changed in: neutron Importance: Undecided => Critical ** Changed in: neutron Importance: Critical => High ** Changed in: neutron Status: New => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1831534 Title: [l3][dvr] with openflow security group east-west traffic between different vlan networks is broken Status in neutron: Confirmed Bug description: ENV: stable/queens & master This is a long story long time ago [1] [2] [3]. But we recently meet such issue, when dvr router is connected to two different vlan networks, the east-west traffic is not reachable. # ovs-ofctl show br-int 1(int-br-ex): addr:22:32:17:d4:08:6a 2(int-br-vlan): addr:76:ed:47:bf:21:ec 3(patch-tun): addr:9a:56:bf:23:ac:37 ... ... 255(tap321a4669-c2): addr:fe:16:3e:93:31:67 LOCAL(br-int): addr:7a:ae:b6:87:7b:4d # ovs-ofctl dump-flows br-int # this will be applied aways, since it has higher priority, fa:16:3f:93:05:7d is the dvr host mac from request VM's hypervisor cookie=0xb27e128dd9a83dfc, duration=6408639.091s, table=0, n_packets=22187, n_bytes=30725358, idle_age=860, hard_age=65534, priority=4,in_port=2,dl_src=fa:16:3f:93:05:7d actions=resubmit(,2) # this will not get matched cookie=0xb27e128dd9a83dfc, duration=116506.106s, table=0, n_packets=60698, n_bytes=80563747, idle_age=825, hard_age=65534, priority=3,in_port=2,dl_vlan=587 actions=mod_vlan_vid:45,resubmit(,60) cookie=0xb27e128dd9a83dfc, duration=167233.168s, table=2, n_packets=22177, n_bytes=30724518, idle_age=51621, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=mod_dl_src:fa:16:3e:ca:bf:28,resubmit(,60) cookie=0xb27e128dd9a83dfc, duration=167719.120s, table=60, n_packets=22257, n_bytes=30732678, idle_age=4, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=strip_vlan,output:255 Since the request packet never go into conntrack table, so the reply packets will be dropped. [1] https://specs.openstack.org/openstack/neutron-specs/specs/kilo/neutron-ovs-dvr-vlan.html [2] https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan [3] https://review.opendev.org/#/q/topic:bp/neutron-ovs-dvr-vlan To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1831534/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
