neutron

br-tun gets a wrong arp drop rule when dvr is connected to a network but not used as gateway

Bug #1831575 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

Bug reported originally by Takashi Kajinami: https://bugzilla.redhat.com/show_bug.cgi?id=1714422

-----------

Description of problem:

When we have dvr connected to a network, br-tun get a filter rule in ovs flow,
to drop arp packet going to router gateway.

cookie=0x..., duration=...s, table=1, n_packets=..., n_bytes=..., idle_age=..., priority=3,arp,dl_vlan=...,arp_tpa=<gateway ip> actions=drop

However, the target ip that filter is not decided based on the real interface ip in dvr,
but based on gateway ip specified for the network.

When you have one non-dvr and dvr in the same network, with using non-dvr as the gateway
of the network, this causes issue on connectivity via non-dvr as the said ovs flow
block arp packet to the gateway ip.
For example, in the following case, we should have a filter about arp for 192.168.0.10
on br-tun, but in fact we have the one for 192.168.0.1.

 non-dvr - [192.168.0.1] - network(with gateway 192.168.0.1) - [192.168.0.10] - dvr

Version-Release number of selected component (if applicable):
RHOSP13z4 - I checked on u/s master branch and it is the same

How reproducible:
Always

Steps to Reproduce:
1. Create a network and subnet
2. Create a virtual router with distributed=False and connect it to the subnet as gateway
3. Create a virtual router with distributed=True and connect it to the subnet
4. Launch a instance connected to the instance, and try ping to gateway on non-dvr

Actual results:

All ping packets are lost

Expected results:

Ping succeeds without any error

Additional info:

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/662999

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/663000

Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Looks like it is possible.

tags: added: ocata-backport-potential pike-backport-potential queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/662999
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405
Submitter: Zuul
Branch: master

commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/663155

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/663159

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/663160

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.opendev.org/663161

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.opendev.org/663162

Brian Haley (brian-haley)
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/663000
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=d2a6accd066492ed7f6df30397a59b5845e398a2
Submitter: Zuul
Branch: master

commit d2a6accd066492ed7f6df30397a59b5845e398a2
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:22:24 2019 +0200

    Scenario test case to check connectivity when dvr and non-dvr routers used

    Subnet is connected to dvr and non-dvr routers in the same time, test
    ensures that connectivity from VM to both routers works properly.

    Depends-On: https://review.opendev.org/662999

    Change-Id: Ib41b58d25955b9a7fa0c06c9257bf0db17f4f8fc
    Related-Bug: #1831575

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/663155
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a7c9cc870eab7ad3272d79a7fa7c224217068211
Submitter: Zuul
Branch: stable/stein

commit a7c9cc870eab7ad3272d79a7fa7c224217068211
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575
    (cherry picked from commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/663159
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6af5ea2afcfe295159715edc43735ca8c5e3fe12
Submitter: Zuul
Branch: stable/rocky

commit 6af5ea2afcfe295159715edc43735ca8c5e3fe12
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Conflicts:
            neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575
    (cherry picked from commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/663160
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9b3e401533e9e99cdaa741bed8452a7378de0356
Submitter: Zuul
Branch: stable/queens

commit 9b3e401533e9e99cdaa741bed8452a7378de0356
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Conflicts:
            neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575
    (cherry picked from commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.opendev.org/663161
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=151c6a030a99dc49b59df803cd4a78f8abe00907
Submitter: Zuul
Branch: stable/pike

commit 151c6a030a99dc49b59df803cd4a78f8abe00907
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Conflicts:
            neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575
    (cherry picked from commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.4

This issue was fixed in the openstack/neutron 13.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.2

This issue was fixed in the openstack/neutron 14.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.1.0

This issue was fixed in the openstack/neutron 12.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.opendev.org/663162
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d03cd34281bef8300accc216eb6c73110bd01a7
Submitter: Zuul
Branch: stable/ocata

commit 3d03cd34281bef8300accc216eb6c73110bd01a7
Author: Slawek Kaplonski <email address hidden>
Date: Tue Jun 4 12:14:37 2019 +0200

    [DVR] Block ARP to dvr router's port instead of subnet's gateway

    It may happen that subnet is connected to dvr router using IP address
    different than subnet's gateway_ip.
    So in br-tun arp to dvr router's port should be dropped instead of
    dropping arp to subnet's gateway_ip (or mac in case of IPv6).

    Conflicts:
            neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

    Change-Id: Ida6b7ae53f3fc76f54e389c5f7131b5a66f533ce
    Closes-bug: #1831575
    (cherry picked from commit ae3aa28f5a4749b4e4cb3f0ae0d009c0734db405)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.0.0b1

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

Bernard Cafarelli (bcafarel)
tags: removed: ocata-backport-potential pike-backport-potential queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ocata-eol

This issue was fixed in the openstack/neutron ocata-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron pike-eol

This issue was fixed in the openstack/neutron pike-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.