ovs firewall: mac learning of dest VM mac not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Moshe Levi |
Bug Description
I have using neutron master with ovs firewall driver and ovs 2.13
I have 2 compute nodes and VM on each one of them
both VM configure security groups which allow ingress and egress of tcp traffic
I running iperf testing for tcp connection tracking
we traffic start I see the following rule:
ufid:58ea9ecf-
This is the fdb table of the br-int with "ovs-appctl fdb/show br-int"
port VLAN MAC Age
5 3 fa:16:3e:35:c0:68 97
6 3 fa:16:3e:9e:77:5c 0
As you can see the dest mac of the remote VM is Age increasing and when it get to 300s which is the default age time in the ovs the mac will disappear and the rule above will changed to flood rule.
ufid:b2967a14-
This is the fdb table of the br-int with "ovs-appctl fdb/show br-int"
port VLAN MAC Age
9 1 fa:16:3e:9e:77:5c 0
The flood rule is breaking the offload.
see like RULES_INGRESS_TABLE table 82 is output the dest port without doing the Normal action. if we change the openflow of this table from:
table=82, n_packets=
to:
cookie=
the problem will be solved.
summary: |
- ovs firewall: mac learning on dest VM mac not working + ovs firewall: mac learning of dest VM mac not working |
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
Fix proposed to branch: master /review. opendev. org/754867
Review: https:/