Looks like by default OVS tunnels inherit skb marks from
tunneled packets. As a result Neutron IPTables marks set in
qrouter namespace are inherited by VXLAN encapsulating packets.
These marks may conflict with marks used by underlying networking
(like Calico) and lead to VXLAN tunneled packets being dropped.
This patch ensures that skb marks are cleared by OVS before entering
a tunnel to avoid conflicts with IPTables rules in default namespace.
Closes-Bug: #1839252
Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698
(cherry picked from commit 762773525234814c1c47b5d21e072a30a94ff9e6)
Reviewed: https:/ /review. opendev. org/675728 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9f6d8c383f4 d7f5ea6e4c157fe 7eb176042960cf
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 9f6d8c383f4d7f5 ea6e4c157fe7eb1 76042960cf
Author: Oleg Bondarev <email address hidden>
Date: Wed Aug 7 12:14:18 2019 +0400
Clear skb mark on encapsulating packets
Looks like by default OVS tunnels inherit skb marks from
tunneled packets. As a result Neutron IPTables marks set in
qrouter namespace are inherited by VXLAN encapsulating packets.
These marks may conflict with marks used by underlying networking
(like Calico) and lead to VXLAN tunneled packets being dropped.
This patch ensures that skb marks are cleared by OVS before entering
a tunnel to avoid conflicts with IPTables rules in default namespace.
Closes-Bug: #1839252 88dd7f2155db16b 21d19da1698 c1c47b5d21e072a 30a94ff9e6)
Change-Id: Id029be51bffe41
(cherry picked from commit 762773525234814