[OVN/OVS] security groups erroneously dropping IGMP/multicast traffic

Bug #1914745 reported by Diko Parvanov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

Trying to use IGMP/multicast on a bionic-ussuri cloud, instances receive the multicast traffic, but the replies back are dropped from the computes

conntrack shows:
icmp 1 29 src=172.27.18.70 dst=239.0.10.10 type=8 code=0 id=1699 [UNREPLIED] src=239.0.10.10 dst=172.27.18.70 type=0 code=0 id=1699 mark=0 zone=8 use=1

Workaround is to disable port security on all attached to the instances networks, disable port security on all instances and remove all ports/VMs that have port security enabled and any security groups associated and enabled, even thou they are not part of the multicast traffic.

packages:
neutron-common 2:16.2.0-0ubuntu2~cloud0
neutron-ovn-metadata-agent 2:16.2.0-0ubuntu2~cloud0
openvswitch-common 2.13.1-0ubuntu0.20.04.2~cloud0
openvswitch-switch 2.13.1-0ubuntu0.20.04.2~cloud0
ovn-common 20.03.1-0ubuntu1.1~cloud0
ovn-host 20.03.1-0ubuntu1.1~cloud0
python3-neutron 2:16.2.0-0ubuntu2~cloud0
python3-neutron-lib 2.3.0-0ubuntu1~cloud0
python3-neutronclient 1:7.1.1-0ubuntu1~cloud0
python3-openvswitch 2.13.1-0ubuntu0.20.04.2~cloud0

Tags: ovn
Diko Parvanov (dparv)
summary: - [OVN/OVS] security groups wrongly dropping IGMP/multicast traffic
+ [OVN/OVS] security groups erroneously dropping IGMP/multicast traffic
Revision history for this message
Lucas Alvares Gomes (lucasagomes) wrote :

Hi Diko,

Enabling UDP traffic does not work ?

$ openstack security group rule create --protocol udp --ingress <SG>
$ openstack security group rule create --protocol udp --egress <SG>

tags: added: ovn
Revision history for this message
Daniel Alvarez (dalvarezs) wrote :

s/UDP/ICMP? according to the conntrack output, it is ICMP what Diko is attempting to use

Revision history for this message
Lucas Alvares Gomes (lucasagomes) wrote :

Right.

Yeah so, I was just trying to point out that we may need to enable the traffic. Otherwise, by default, Neutron drops everything.

Revision history for this message
Diko Parvanov (dparv) wrote :

This was tested with security groups with groups that have any traffic allowed - still didn't work. Not ICMP, but IGMP (The Internet Group Management Protocol) - multicast traffic.

Having the instances attached to a external network and internal network, having port security only on the internal network the IGMP traffic still gets dropped on the external network as well.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.