neutron

openvswitch firewall driver is dropping packets when router migrated from DVR to HA

Bug #1721084 reported by venkata anil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Jakub Libosvar

Bug Description

Openvswitch firewall driver is dropping packets when router is migrated from DVR to HA.

I see the packet is dropped at table 72

cookie=0x6b90d3f7582969b5, duration=62.044s, table=72, n_packets=7, n_bytes=518, idle_age=1, priority=50,ct_state=+inv+trk actions=drop

complete br-int flows are - http://paste.openstack.org/show/622528/
output of "ovs-ofctl show br-int" http://paste.openstack.org/show/622530/

But with iptables firewall driver this works fine.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/509228

Changed in neutron:
assignee: nobody → Jakub Libosvar (libosvar)
status: New → In Progress
Miguel Lavalle (minsel)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/509228
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0456515a7a06ee96c2929c684a82737a1067ce72
Submitter: Jenkins
Branch: master

commit 0456515a7a06ee96c2929c684a82737a1067ce72
Author: Jakub Libosvar <email address hidden>
Date: Tue Oct 3 16:58:32 2017 +0000

    br_int: Make removal of DVR flows more strict

    As ingres traffic to instance ports when using DVR uses same matching
    openflow rule as openvswitch firewall driver, it happens that setting
    admin_state_up of router deletes firewall rules.

    This patch makes the deletion more strict because DVR and ovs-firewall
    flows differ in priority. Thus using priority when removing DVR flows
    won't affect ovs-firewall flows.

    Closes-bug: #1721084

    Change-Id: I4eb61b2824579a4f8ba219cd1b1dcf57d38ebc89

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/509877

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/509877
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cd4af34b13b7f87c0f9a201556a36264b6d52714
Submitter: Zuul
Branch: stable/pike

commit cd4af34b13b7f87c0f9a201556a36264b6d52714
Author: Jakub Libosvar <email address hidden>
Date: Tue Oct 3 16:58:32 2017 +0000

    br_int: Make removal of DVR flows more strict

    As ingres traffic to instance ports when using DVR uses same matching
    openflow rule as openvswitch firewall driver, it happens that setting
    admin_state_up of router deletes firewall rules.

    This patch makes the deletion more strict because DVR and ovs-firewall
    flows differ in priority. Thus using priority when removing DVR flows
    won't affect ovs-firewall flows.

    Closes-bug: #1721084

    Change-Id: I4eb61b2824579a4f8ba219cd1b1dcf57d38ebc89
    (cherry picked from commit 0456515a7a06ee96c2929c684a82737a1067ce72)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.2

This issue was fixed in the openstack/neutron 11.0.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.