neutron

OVS conntrack firewall doesn't work with OVS 2.6.0

Bug #1635283 reported by Rodolfo Alonso on 2016-10-20

This bug report is a duplicate of: Bug #1634757: OVS firewall doesn't work with recent ovs. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Rodolfo Alonso

Bug Description

OVS introduced a check for inconsistent CT actions in the following bug: https://github.com/openvswitch/ovs/commit/d86e03c57e295811533ed873602a3f2eadc85548

If a flow doesn't meet the requirements for a CT action, the flow will be discarded. CT firewall musst specify the L3/L4 protocol (ip, ipv6, tcp, udp, scp) as long as a CT action is used. For example:
Flow1="hard_timeout=0,idle_timeout=0,priority=90,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"
should be:
Flow1="hard_timeout=0,idle_timeout=0,priority=90, ip ,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"

When the flows are added by the agent, an error appears:
...
hard_timeout=0,idle_timeout=0,priority=40,ct_state=+est,reg5=6,cookie=13600354711851837061,table=72,actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(set_field:0x1->ct_mark))
hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+est-rel-rpl,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=strip_vlan,output:6
hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+new-est,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:6; Stdout: ; Stderr: ovs-ofctl: -:17: actions are invalid with specified match (OFPBAC_MATCH_INCONSISTENT)