yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1914745] [NEW] [OVN/OVS] security groups erroneously dropping IGMP/multicast traffic

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Diko Parvanov <1914745@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Feb 2021 09:59:41 -0000
Reply-to: Bug 1914745 <1914745@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Trying to use IGMP/multicast on a bionic-ussuri cloud, instances receive
the multicast traffic, but the replies back are dropped from the
computes

conntrack shows:
icmp     1 29 src=172.27.18.70 dst=239.0.10.10 type=8 code=0 id=1699 [UNREPLIED] src=239.0.10.10 dst=172.27.18.70 type=0 code=0 id=1699 mark=0 zone=8 use=1

Workaround is to disable port security on all attached to the instances
networks, disable port security on all instances and remove all
ports/VMs that have port security enabled and any security groups
associated and enabled, even thou they are not part of the multicast
traffic.

packages:
neutron-common                         2:16.2.0-0ubuntu2~cloud0        
neutron-ovn-metadata-agent             2:16.2.0-0ubuntu2~cloud0        
openvswitch-common                     2.13.1-0ubuntu0.20.04.2~cloud0  
openvswitch-switch                     2.13.1-0ubuntu0.20.04.2~cloud0  
ovn-common                             20.03.1-0ubuntu1.1~cloud0       
ovn-host                               20.03.1-0ubuntu1.1~cloud0       
python3-neutron                        2:16.2.0-0ubuntu2~cloud0        
python3-neutron-lib                    2.3.0-0ubuntu1~cloud0           
python3-neutronclient                  1:7.1.1-0ubuntu1~cloud0         
python3-openvswitch                    2.13.1-0ubuntu0.20.04.2~cloud0

** Affects: neutron
     Importance: Undecided
         Status: New

** Summary changed:

- [OVN/OVS] security groups wrongly dropping IGMP/multicast traffic
+ [OVN/OVS] security groups erroneously dropping IGMP/multicast traffic

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1914745

Title:
  [OVN/OVS] security groups erroneously dropping IGMP/multicast traffic

Status in neutron:
  New

Bug description:
  Trying to use IGMP/multicast on a bionic-ussuri cloud, instances
  receive the multicast traffic, but the replies back are dropped from
  the computes

  conntrack shows:
  icmp     1 29 src=172.27.18.70 dst=239.0.10.10 type=8 code=0 id=1699 [UNREPLIED] src=239.0.10.10 dst=172.27.18.70 type=0 code=0 id=1699 mark=0 zone=8 use=1

  Workaround is to disable port security on all attached to the
  instances networks, disable port security on all instances and remove
  all ports/VMs that have port security enabled and any security groups
  associated and enabled, even thou they are not part of the multicast
  traffic.

  packages:
  neutron-common                         2:16.2.0-0ubuntu2~cloud0        
  neutron-ovn-metadata-agent             2:16.2.0-0ubuntu2~cloud0        
  openvswitch-common                     2.13.1-0ubuntu0.20.04.2~cloud0  
  openvswitch-switch                     2.13.1-0ubuntu0.20.04.2~cloud0  
  ovn-common                             20.03.1-0ubuntu1.1~cloud0       
  ovn-host                               20.03.1-0ubuntu1.1~cloud0       
  python3-neutron                        2:16.2.0-0ubuntu2~cloud0        
  python3-neutron-lib                    2.3.0-0ubuntu1~cloud0           
  python3-neutronclient                  1:7.1.1-0ubuntu1~cloud0         
  python3-openvswitch                    2.13.1-0ubuntu0.20.04.2~cloud0

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1914745/+subscriptions