neutron

Connectivity issues due to skb marks on the encapsulating packet

Bug #1839252 reported by Oleg Bondarev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Oleg Bondarev

Bug Description

Looks like by default OVS tunnels inherit skb marks from tunneled packets.
As a result Neutron IPTables marks set in qrouter namespace are inherited by VXLAN encapsulating packets.
These marks may conflict with marks used by underlying networking (like Calico) and lead to VXLAN
tunneled packets being dropped.

The proposal is to set 'egress_pkt_mark = 0' explicitly for tunnel ports. The option was added in OVS 2.8.0 (https://www.openvswitch.org/releases/NEWS-2.8.0.txt)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/675054

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/675054
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=762773525234814c1c47b5d21e072a30a94ff9e6
Submitter: Zuul
Branch: master

commit 762773525234814c1c47b5d21e072a30a94ff9e6
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets

    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.

    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.

    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/675728

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/675729

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/675730

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.opendev.org/675731

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/675729
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d581cf07cdb06065689a901c20a3d887f2b0c8b6
Submitter: Zuul
Branch: stable/rocky

commit d581cf07cdb06065689a901c20a3d887f2b0c8b6
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets

    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.

    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.

    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698
    (cherry picked from commit 762773525234814c1c47b5d21e072a30a94ff9e6)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/675730
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e4b8795c23d24f180e23456683a2e2796d0247b7
Submitter: Zuul
Branch: stable/queens

commit e4b8795c23d24f180e23456683a2e2796d0247b7
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets

    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.

    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.

    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698
    (cherry picked from commit 762773525234814c1c47b5d21e072a30a94ff9e6)

tags: added: in-stable-queens
tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.opendev.org/675731
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=62f26a24e3d08321252a1144d76666b63cab6a50
Submitter: Zuul
Branch: stable/pike

commit 62f26a24e3d08321252a1144d76666b63cab6a50
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets

    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.

    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.

    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698
    (cherry picked from commit 762773525234814c1c47b5d21e072a30a94ff9e6)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/675728
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9f6d8c383f4d7f5ea6e4c157fe7eb176042960cf
Submitter: Zuul
Branch: stable/stein

commit 9f6d8c383f4d7f5ea6e4c157fe7eb176042960cf
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets

    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.

    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.

    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698
    (cherry picked from commit 762773525234814c1c47b5d21e072a30a94ff9e6)

tags: added: in-stable-stein
Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.0.0b1

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.3

This issue was fixed in the openstack/neutron 14.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.5

This issue was fixed in the openstack/neutron 13.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.1.1

This issue was fixed in the openstack/neutron 12.1.1 release.

Slawek Kaplonski (slaweq)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron pike-eol

This issue was fixed in the openstack/neutron pike-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.