← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #58034

[Bug 1635283] Re: OVS conntrack firewall doesn't work with OVS 2.6.0

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1634757 ***
    https://bugs.launchpad.net/bugs/1634757

** This bug has been marked a duplicate of bug 1634757
   OVS firewall doesn't work with recent ovs

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1635283

Title:
  OVS conntrack firewall doesn't work with OVS 2.6.0

Status in neutron:
  Fix Released

Bug description:
  OVS introduced a check for inconsistent CT actions in the following
  bug:
  https://github.com/openvswitch/ovs/commit/d86e03c57e295811533ed873602a3f2eadc85548

  
  If a flow doesn't meet the requirements for a CT action, the flow will be discarded. CT firewall musst specify the L3/L4 protocol (ip, ipv6, tcp, udp, scp) as long as a CT action is used. For example:
     Flow1="hard_timeout=0,idle_timeout=0,priority=90,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"
  should be:
     Flow1="hard_timeout=0,idle_timeout=0,priority=90,  ip  ,ct_state=+new-est,reg5=6,cookie=13600354711851837061,table=73,actions=ct(commit,zone=NXM_NX_REG6[0..15]),normal"

  
  When the flows are added by the agent, an error appears:
  ...
  hard_timeout=0,idle_timeout=0,priority=40,ct_state=+est,reg5=6,cookie=13600354711851837061,table=72,actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(set_field:0x1->ct_mark))
  hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+est-rel-rpl,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=strip_vlan,output:6
  hard_timeout=0,idle_timeout=0,priority=70,dl_type=0x0800,ct_state=+new-est,reg5=6,nw_proto=17,cookie=13600354711851837061,table=82,udp_dst=0x1388,dl_dst=fa:16:3e:d3:28:85,actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:6; Stdout: ; Stderr: ovs-ofctl: -:17: actions are invalid with specified match (OFPBAC_MATCH_INCONSISTENT)

  but the agent continues working without exiting.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1635283/+subscriptions
  Thread PreviousDate PreviousThread Next