ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled
In RULES_INGRESS_TABLE table 82 there is a rule for allow established and
related connections. The current rule sends the packet directly to the dest
port without doing a mac learning. This is causing ovs to age out the dest mac
of the remote VM and causing the rule to be changed in flood rule. For the normal
case it fine as they try to avoid high cpu. ovs hardware offload reduce cpu usage
by moving some of the packet processing to nic and flood rule is not offloaded,
therefore it prefre to use the NORMAL action to avoid the flood rule.
We also keep the same logic as today when using explicitly_egress_direct=True
which avoid NORMAL action in the entire pipeline.
Reviewed: https:/ /review. opendev. org/754867 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=8fc80b7e132 031d18c787b5be5 82c146d262de74
Committed: https:/
Submitter: Zuul
Branch: master
commit 8fc80b7e132031d 18c787b5be582c1 46d262de74
Author: Moshe Levi <email address hidden>
Date: Tue Sep 29 00:58:54 2020 +0300
ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled
In RULES_INGRESS_TABLE table 82 there is a rule for allow established and egress_ direct= True
related connections. The current rule sends the packet directly to the dest
port without doing a mac learning. This is causing ovs to age out the dest mac
of the remote VM and causing the rule to be changed in flood rule. For the normal
case it fine as they try to avoid high cpu. ovs hardware offload reduce cpu usage
by moving some of the packet processing to nic and flood rule is not offloaded,
therefore it prefre to use the NORMAL action to avoid the flood rule.
We also keep the same logic as today when using explicitly_
which avoid NORMAL action in the entire pipeline.
Closes-Bug: #1897637
Change-Id: I9b611d62be5d05 29e8b35e3d8280b aa5be54bc2b