Packet loss upon reassembly using the default hybrid firewall driver

When using OVS with neutron via this charm the firewalling driver in use by default is OVSHybridIptablesFirewallDriver. When over-MTU UDP data is sent between two instances via an overlay network such as GRE, this driver causes reassembled over-MTU traffic to be dropped.

This is reproducible by creating two instances attached to the same OVS overlay network, and attempting to send UDP traffic at a higher MTU than the configured instance MTU. In our testing, the OVS data plane was configured for 9000 MTU with an instance MTU of 1500, and test UDP packet size of 1800 bytes. The OpenStack version under test is Queens on Ubuntu Xenial.

Switching manually to the NoopFirewallDriver works around this problem.

In packet-loss sensitive (high performance, low latency applications) it may be desirable to use the Noop driver, so providing an option to change the firewall driver may generally be desirable.

Additionally, this packet loss should be investigated and understood as it represents a potential upstream bug with either OVS or the OVS ml2 driver when using the hybrid driver.