yahoo-eng-team team mailing list archive

[OpenStack Infra <1696983@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/472691
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ce8a0b2b7d73caf078c6634d6dded5117dbed265
Submitter: Jenkins
Branch:    master

commit ce8a0b2b7d73caf078c6634d6dded5117dbed265
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Fri Jun 9 13:41:57 2017 +0000

    dvr: Move normal/output br-int flows to table TRANSIENT
    
    DVR flows are not compatible with OVS firewall flows as firewall flows
    have higher priority. As a consequence, rules for DVR were never match
    as firewall uses output directly.
    
    This patch replaces flows using normal or output actions and resends
    packets to TRANSIENT table instead. This transient table then uses
    either those normal or output action rules. With this split, we will be
    able to match egress/ingress flows in TRANSIENT table instead of
    LOCAL_SWITCHING putting DVR pipeline in front of OVS firewall pipeline.
    
    Change-Id: I9f738047f131b42d11a90f539435006d16ea7883
    Closes-bug: #1696983


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1696983

Title:
  ovs-fw: flows on br-int are overlapping with dvr flows

Status in neutron:
  Fix Released

Bug description:
  DVR flows use normal action in table 0 on br-int. In ovs firewall,
  table 0 is used as a detector for ingress and egress VM traffic,
  sending packets for further filtering in the pipeline. As DVR flows
  have lower priority, DVR flows are not matched and mac translation
  doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1696983/+subscriptions