Comment 0 for bug 1832021

Revision history for this message
David Ames (thedac) wrote : Checksum drop of metadata traffic on isolated provider networks

When an isolated network using provider networks for tenants (meaning without virtual routers: DVR or network node), metadata access occurs in the qdhcp ip netns rather than the qrouter netns.

The following options are set in the dhcp_agent.ini file:
force_metadata = True
enable_isolated_metadata = True

VMs on the provider tenant network are unable to access metadata as packets are dropped due to checksum.

When we added the following in the qdhcp netns, VMs regained access to metadata:

 iptables -t mangle -A OUTPUT -o ns-+ -p tcp --sport 80 -j CHECKSUM --checksum-fill

It seems this setting was recently removed from the qrouter netns [0] but it never existed in the qdhcp to begin with.

[0] https://review.opendev.org/#/c/654645/

Related LP Bug #1831935
See https://bugs.launchpad.net/charm-neutron-openvswitch/+bug/1831935/comments/10