neutron

  1. Bug #2051351
  2. Comment #17

Comment 17 for bug 2051351

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/921940
Committed: https://opendev.org/openstack/neutron/commit/f94f8b63842099904ff88906e8221a366a809f99
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit f94f8b63842099904ff88906e8221a366a809f99
Author: LIU Yulong <email address hidden>
Date: Thu Jan 27 17:01:43 2022 +0800

    Add a default goto table=94 for openvswitch fw

    If enable explicitly_egress_direct=True and set port as
    no security group and port_security=False, the ingress
    flood will reappear. The pipleline is:
    Ingress
    table_0 -> table_60 -> NORMAL -> VM
    Egress
    table_0 -> ... -> table_94 -> output

    Because ingress final action is normal, the br-int will learn the
    source MAC, but egress final action is output. So VM's mac will
    never be learnt by the br-int. Then ingress flood comes again.

    This patch adds a default direct flow to table 94 during the
    openflow security group init and explicitly_egress_direct=True, then
    the pipleline will be:
    Ingress
    table_0 -> table_60 -> table_94 -> output VM
    Egress
    table_0 -> ... -> table_94 -> output

    And this patch adds the flows coming from patch port which will
    match local vlan then go to table 94 do the same direct actions.

    Above flood issue will be addressed by these flows.

    Closes-Bug: #2051351
    Change-Id: Ia61784174ee610b338f26660b2954330abc131a1
    (cherry picked from commit d6f56c5f96c42e1682f3d1723a65253429778c20)