← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #78731

[Bug 1831534] [NEW] [l3][dvr] with openflow security group east-west traffic between different vlan networks is broken

  Thread PreviousDate PreviousThread Next 
Public bug reported:

ENV: stable/queens & master

This is a long story long time ago [1] [2] [3]. But we recently meet
such issue, when dvr router is connected to two different vlan networks,
the east-west traffic is not reachable.

# ovs-ofctl show br-int

 1(int-br-ex): addr:22:32:17:d4:08:6a
 2(int-br-vlan): addr:76:ed:47:bf:21:ec
 3(patch-tun): addr:9a:56:bf:23:ac:37
 ...
 ...
 255(tap321a4669-c2): addr:fe:16:3e:93:31:67
 LOCAL(br-int): addr:7a:ae:b6:87:7b:4d

# ovs-ofctl dump-flows br-int
 # this will be applied aways, since it has higher priority, fa:16:3f:93:05:7d is the dvr host mac from request VM's hypervisor
 cookie=0xb27e128dd9a83dfc, duration=6408639.091s, table=0, n_packets=22187, n_bytes=30725358, idle_age=860, hard_age=65534, priority=4,in_port=2,dl_src=fa:16:3f:93:05:7d actions=resubmit(,2)
 # this will not get matched
 cookie=0xb27e128dd9a83dfc, duration=116506.106s, table=0, n_packets=60698, n_bytes=80563747, idle_age=825, hard_age=65534, priority=3,in_port=2,dl_vlan=587 actions=mod_vlan_vid:45,resubmit(,60)
 cookie=0xb27e128dd9a83dfc, duration=167233.168s, table=2, n_packets=22177, n_bytes=30724518, idle_age=51621, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=mod_dl_src:fa:16:3e:ca:bf:28,resubmit(,60)
 cookie=0xb27e128dd9a83dfc, duration=167719.120s, table=60, n_packets=22257, n_bytes=30732678, idle_age=4, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=strip_vlan,output:255

Since the request packet never go into conntrack table, so the reply
packets will be dropped.


[1] https://specs.openstack.org/openstack/neutron-specs/specs/kilo/neutron-ovs-dvr-vlan.html
[2] https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
[3] https://review.opendev.org/#/q/topic:bp/neutron-ovs-dvr-vlan

** Affects: neutron
     Importance: High
         Status: Confirmed

** Changed in: neutron
   Importance: Undecided => Critical

** Changed in: neutron
   Importance: Critical => High

** Changed in: neutron
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1831534

Title:
  [l3][dvr] with openflow security group east-west traffic between
  different vlan networks is broken

Status in neutron:
  Confirmed

Bug description:
  ENV: stable/queens & master

  This is a long story long time ago [1] [2] [3]. But we recently meet
  such issue, when dvr router is connected to two different vlan
  networks, the east-west traffic is not reachable.

  # ovs-ofctl show br-int

   1(int-br-ex): addr:22:32:17:d4:08:6a
   2(int-br-vlan): addr:76:ed:47:bf:21:ec
   3(patch-tun): addr:9a:56:bf:23:ac:37
   ...
   ...
   255(tap321a4669-c2): addr:fe:16:3e:93:31:67
   LOCAL(br-int): addr:7a:ae:b6:87:7b:4d

  # ovs-ofctl dump-flows br-int
   # this will be applied aways, since it has higher priority, fa:16:3f:93:05:7d is the dvr host mac from request VM's hypervisor
   cookie=0xb27e128dd9a83dfc, duration=6408639.091s, table=0, n_packets=22187, n_bytes=30725358, idle_age=860, hard_age=65534, priority=4,in_port=2,dl_src=fa:16:3f:93:05:7d actions=resubmit(,2)
   # this will not get matched
   cookie=0xb27e128dd9a83dfc, duration=116506.106s, table=0, n_packets=60698, n_bytes=80563747, idle_age=825, hard_age=65534, priority=3,in_port=2,dl_vlan=587 actions=mod_vlan_vid:45,resubmit(,60)
   cookie=0xb27e128dd9a83dfc, duration=167233.168s, table=2, n_packets=22177, n_bytes=30724518, idle_age=51621, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=mod_dl_src:fa:16:3e:ca:bf:28,resubmit(,60)
   cookie=0xb27e128dd9a83dfc, duration=167719.120s, table=60, n_packets=22257, n_bytes=30732678, idle_age=4, hard_age=65534, priority=4,dl_vlan=587,dl_dst=fa:16:3e:93:31:67 actions=strip_vlan,output:255

  Since the request packet never go into conntrack table, so the reply
  packets will be dropped.

  
  [1] https://specs.openstack.org/openstack/neutron-specs/specs/kilo/neutron-ovs-dvr-vlan.html
  [2] https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
  [3] https://review.opendev.org/#/q/topic:bp/neutron-ovs-dvr-vlan

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1831534/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next