Comment 2 for bug 1044318

To clarify my previous comment, this is not an issue with the packaging, it is a bug in OVS. I removed it from quantum RC1 as there was not code that needed to be committed to quantum to fix the issue, simply that distros needed to create new packages with the fix.

Again, here is the OVS change: http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=53e6421bc83918ac2d00ba5516f205fa7e394140

According to the OVS team, without the change, the connection tracking logic using by IPtables gets confused if a packet passes through multiple linux network namespaces on the same host. The reason for this confusion is that OVS is not properly clearing some of the fields in the skb header, meaning the connection tracking ignores this packet, so iptables functionality that relies on this (in particular DNAT and SNAT) do not work.

From the OVS commit message:

"It's possible that packets that are sent on internal devices (from
the OVS perspective) have already traversed the local IP stack.
After they go through the internal device, they will again travel
through the IP stack which may get confused by the presence of
existing information in the skb. The problem can be observed
when switching between namespaces. This clears out that information
to avoid problems but deliberately leaves other metadata alone.
This is to provide maximum flexibility in chaining together OVS
and other Linux components."

Unfortunately, this is actually fairly common given that the quantum l3-agent uses namespaces to implement multiple quantum "routers" on the same box, and uses IPtables within each namespace to perform SNAT/DNAT for "floating ips" and external network access. Above I mention why users are ALWAYS going to hit this bug in single node developer installs, since they typically test the reachability of VMs via floating IPs.