yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58028
[Bug 1635283] Re: OVS conntrack firewall doesn't work with OVS 2.6.0
Sorry, I see it's covered by https://review.openstack.org/#/c/388467/
** Changed in: neutron
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1635283
Title:
OVS conntrack firewall doesn't work with OVS 2.6.0
Status in neutron:
Fix Released
Bug description:
OVS introduced a check for inconsistent CT actions in the following
bug:
https://github.com/openvswitch/ovs/commit/d86e03c57e295811533ed873602a3f2eadc85548
If a flow doesn't meet the requirements for a CT action, the flow will be discarded. CT firewall musst specify the L3/L4 protocol (ip, ipv6, tcp, udp, scp) as long as a CT action is used. For example:
Flow1="hard_timeout=0,idle_timeout=0,priority=90,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"
should be:
Flow1="hard_timeout=0,idle_timeout=0,priority=90, ip ,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"
When the flows are added by the agent, an error appears:
...
hard_timeout=0,idle_timeout=0,priority=40,ct_state=+est,reg5=6,cookie=13600354711851837061,table=72,actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(set_field:0x1->ct_mark))
hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+est-rel-rpl,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=strip_vlan,output:6
hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+new-est,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:6; Stdout: ; Stderr: ovs-ofctl: -:17: actions are invalid with specified match (OFPBAC_MATCH_INCONSISTENT)
but the agent continues working without exiting.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1635283/+subscriptions