explicity_egress_direct prevents learning of local MACs and causes flooding of ingress packets, firewall_driver = openvswitch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
LIU Yulong |
Bug Description
I believe this issue was already reported earlier:
https:/
That bug has a fix committed:
https:/
However I believe the above change fixed only part of the issue (with firewall_
But the same problem is still not fixed with firewall_
First, I re-opened bug #1884708, but then I realized that nobody will notice a several year old bug's status change, so I rather opened this new bug report instead.
Reproduction:
# config
ml2_conf.ini:
[securitygroup]
firewall_driver = openvswitch
[agent]
explicitly_
[ovs]
bridge_mappings = physnet0:
# a random IP on net0 we can ping
sudo ip link set up dev br-physnet0
sudo ip link add link br-physnet0 name br-physnet0.100 type vlan id 100
sudo ip link set up dev br-physnet0.100
sudo ip address add dev br-physnet0.100 10.0.100.1/24
# code
devstack 6b0f055b
neutron $ git log --oneline -n2
27601f8eea (HEAD, origin/bug/2048785, origin/HEAD) Set trunk parent port as access port in ovs to avoid loop
3ef02cc2fb (origin/master) Consume code from neutron-lib
openvswitch 2.17.8-
linux 5.15.0-91-generic
# clean up first
openstack server delete vm0 --wait
openstack port delete port0
openstack network delete net0
# build the environment
openstack network create net0 --provider-
openstack subnet create --network net0 --subnet-range 10.0.100.0/24 subnet0
openstack port create --no-security-group --disable-
openstack server create --flavor cirros256 --image cirros-
# mac addresses for reference
$ openstack port show port0 -f value -c mac_address
fa:16:3e:96:58:ab
$ ifdata -ph br-physnet0
82:E8:18:67:7E:40
# generate traffic that will keep fdb entries fresh
sudo virsh console "$( openstack server show vm0 -f value -c OS-EXT-
ping 10.0.100.1
# clear all past junk
for br in br-physnet0 br-int ; do sudo ovs-appctl fdb/flush "$br" ; done
# br-int does not learn port0's mac despite the ongoing ping
for br in br-physnet0 br-int ; do echo ">>> $br <<<" ; sudo ovs-appctl fdb/show "$br" | egrep -i "$( openstack port show port0 -f value -c mac_address )|$( ifdata -ph br-physnet0 )" ; done
>>> br-physnet0 <<<
1 100 fa:16:3e:96:58:ab 0
LOCAL 100 82:e8:18:67:7e:40 0
>>> br-int <<<
1 4 82:e8:18:67:7e:40 0
# port and physnet bridge mac in all fdbs, egress == vnic -> physnet bridge
# in br-int we have a direct output action
$ sudo ovs-appctl ofproto/trace br-int in_port="$( sudo ovs-vsctl -- --columns=ofport find Interface name=$( echo "tap$( openstack port show port0 -f value -c id )" | cut -b1-14 ) | awk '{ print $3 }' )",dl_vlan=
Flow: in_port=
bridge("br-int")
----------------
0. priority 0, cookie 0x2b36d6b4a42fe7b5
goto_table:58
58. priority 0, cookie 0x2b36d6b4a42fe7b5
goto_table:60
60. in_port=45, priority 100, cookie 0x2b36d6b4a42fe7b5
set_
set_
resubmit(,73)
73. reg5=0x2d, priority 80, cookie 0x2b36d6b4a42fe7b5
resubmit(,94)
94. reg6=0x4,
push_
set_
output:1
bridge(
-------
0. in_port=
set_
NORMAL
-> forwarding to learned port
Final flow: reg5=0x2d,
Megaflow: recirc_
Datapath actions: pop_vlan,
# port and physnet bridge mac in all fdbs, ingress == physnet bridge -> vnic
# in br-int we have the normal action flooding, despite the ongoing ping
$ sudo ovs-appctl ofproto/trace br-physnet0 in_port=
Flow: in_port=
bridge(
-------
0. priority 0, cookie 0x85bc1a5077d54d3f
NORMAL
-> forwarding to learned port
bridge("br-int")
----------------
0. in_port=
set_
goto_table:58
58. priority 0, cookie 0x2b36d6b4a42fe7b5
goto_table:60
60. priority 3, cookie 0x2b36d6b4a42fe7b5
NORMAL
-> no learned MAC for destination, flooding
bridge("br-tun")
----------------
0. in_port=1, priority 1, cookie 0xc8cfff9c6bbea88d
goto_table:2
2. dl_dst=
goto_table:20
20. priority 0, cookie 0xc8cfff9c6bbea88d
goto_table:22
22. priority 0, cookie 0xc8cfff9c6bbea88d
drop
Final flow: unchanged
Megaflow: recirc_
Datapath actions: pop_vlan,
This bug has a long history:
round #1 - some unnecessary flooding in the egress direction
https:/
https:/
fix introducing explicitly_
https:/
round #2 - the fix above introduced some unnecessary ingress flooding
https:/
fix for firewall_
https:/
also related:
https:/
https:/
may be related:
https:/
round #3 (today)
https:/
https:/
Changed in neutron: | |
assignee: | nobody → Bence Romsics (bence-romsics) |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Medium |
assignee: | Bence Romsics (bence-romsics) → LIU Yulong (dragon889) |
@Bence,
``explicity_ egress_ direct` ` was mainly added for openvswitch firewall driver. Noop firewall driver is not the primary case of this option. There is a bug which is related to iptables_hybird drivers, so the fix is added to noop and iptables_hybird drivers as well.
But anyway, TBH, this option is not really cover the trunk port scenario. If trunk port is widely used, it's worthy to have a fix to cover it.
So this bug is mainly for trunk port scenario?
So, we are facing more cases as I said before: /bugs.launchpad .net/neutron/ +bug/1732067/ comments/ 79
https:/