It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this:
openstack network create net0
openstack network create net1
openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0
openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1
openstack port create --network net0 port0
parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
openstack port create --network net1 --mac-address "$parent_mac" port1
openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0
Then all packets are lost on the trunk's parent port:
$ openstack server show vm0 | egrep addresses.*net0
| addresses | net0=10.0.4.6 |
$ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data.
--- 10.0.4.6 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms
If I change the firewall_driver to noop and redo the same I have connectivity.
If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity.
devstack version: 81d89cf
neutron version: 60010a8
relevant parts of local.conf:
[[local|localrc]]
enable_service neutron-api
enable_service neutron-l3
enable_service neutron-agent
enable_service neutron-dhcp
enable_service neutron-metadata-agent
[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = router,trunk
[[post-config|$NEUTRON_PLUGIN_CONF]]
[securitygroup]
firewall_driver = openvswitch
Trying to find the openflow rule dropping the test traffic generated by ping:
$ openstack port show port0 | grep -w id # the parent port 7af7-4503- b478-4e9b95db26 28 a8560361- 7a): addr:82: 46:63:ff: 1a:c6
| id | a8560361-
$ sudo ovs-ofctl show br-int
...
60(tpi-
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
...
$ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping 10.0.4.6 0xa462c2e0451a9 866, duration=8266.222s, table=71, n_packets=2, n_bytes=723, idle_age=8259, priority= 70,udp, reg5=0x3c, in_port= 60,tp_src= 67,tp_dst= 68 actions=drop 0xa462c2e0451a9 866, duration=8266.222s, table=71, n_packets=318, n_bytes=28972, idle_age=64, priority= 10,ct_state= -trk,reg5= 0x3c,in_ port=60 actions=drop 0xa462c2e0451a9 866, duration=8266.201s, table=72, n_packets=4, n_bytes=300, idle_age=8249, priority= 50,ct_state= +inv+trk actions=drop
# concurrent with the ping
$ sudo ovs-ofctl dump-flows br-int | grep -v n_packets=0 | grep actions=drop | column -t
...
cookie=
cookie=
cookie=
Then the only rule with an increasing packet count (n_packets) is this: 10,ct_state= -trk,reg5= 0x3c,in_ port=60 actions=drop
priority=