The outbound unicast traffic of VMS with security group enabled is broadcast
This bug report will be marked for expiration in 25 days if no further activity occurs. (find out why)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Incomplete
|
Medium
|
Unassigned |
Bug Description
I encountered using openstack Security Group,If security groups are enabled for virtual nics on cloud hosts, The outgoing traffic of the VMS enabled in the security group should be unicast traffic, but it is eventually forwarded to all ports belong to the vlan on the ovs br-int bridge.
The following is my debugging process in detail.
The unicast packet sent by the remote virtual machine 172.83.160.63 to the local virtual machine 172.83.160.74 is passed to the br-ex->br-int-> VM,
Because the security group is enabled on the VM NIC, The br-int cannot learn the entry whose port is patch-ex and mac address is vm2.
Therefore those packets sent from vm1 to vm2 are broadcast in vlans because they fail to match mac address entries.
vm1 --- ovs(br-int) ------ ovs(br-ex)--- tor(physical switch) ......vm2
The following is the ovs kernel flow table. The mac address of vm1 is fa:16:3e:
recirc_
recirc_
After careful debugging analysis, the openflow action in the flow table 82 added by neutron is the VM port instead of normal.
As a result, the ovs br-int bridge cannot learn the mac entry of vm2.
table=82, priority=
table=82, priority=
thank you
You may have a try to set explicitly_ egress_ direct= True for your ovs-agent.
See this for details: /docs.openstack .org/neutron/ latest/ contributor/ internals/ openvswitch_ firewall. html#openflow- rules
https:/
And this is the original bug: /bugs.launchpad .net/neutron/ +bug/1732067
https:/