yahoo-eng-team team mailing list archive

[OpenStack Infra <1839252@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/675054
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=762773525234814c1c47b5d21e072a30a94ff9e6
Submitter: Zuul
Branch:    master

commit 762773525234814c1c47b5d21e072a30a94ff9e6
Author: Oleg Bondarev <obondarev@xxxxxxxxxxxx>
Date:   Wed Aug 7 12:14:18 2019 +0400

    Clear skb mark on encapsulating packets
    
    Looks like by default OVS tunnels inherit skb marks from
    tunneled packets. As a result Neutron IPTables marks set in
    qrouter namespace are inherited by VXLAN encapsulating packets.
    These marks may conflict with marks used by underlying networking
    (like Calico) and lead to VXLAN tunneled packets being dropped.
    
    This patch ensures that skb marks are cleared by OVS before entering
    a tunnel to avoid conflicts with IPTables rules in default namespace.
    
    Closes-Bug: #1839252
    Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1839252

Title:
  Connectivity issues due to skb marks on the  encapsulating  packet

Status in neutron:
  Fix Released

Bug description:
  Looks like by default OVS tunnels inherit skb marks from tunneled packets. 
  As a result Neutron IPTables marks set in qrouter namespace are inherited by VXLAN encapsulating packets.
  These marks may conflict with marks used by underlying networking (like Calico) and lead to VXLAN
  tunneled packets being dropped.

  The proposal is to set 'egress_pkt_mark = 0' explicitly for tunnel
  ports. The option was added in OVS 2.8.0
  (https://www.openvswitch.org/releases/NEWS-2.8.0.txt)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1839252/+subscriptions