neutron

Bug #1892405
Comment #4

Comment 4 for bug 1892405

Revision history for this message

Hemanth Nakkina (hemanth-n) wrote on 2020-09-16:

The scenario seems to be caused when a network is connected to multiple DVR routers and when the non-gateway port is detached from the router. dvr-src mac flows are removed for all the VMs in the subnet on all the compute nodes [1].

Steps to reproduce:

1. Create 3 networks (n1, n2, n3) each connected to their internal routers (r1, r2, r3)

openstack network create n1
openstack subnet create --network n1 --dhcp --gateway 192.168.71.1 --subnet-range 192.168.71.0/24 --allocation-pool start=192.168.71.2,end=192.168.71.254 sn1
openstack router create --distributed --ha r1
openstack router add subnet r1 sn1

openstack network create n2
openstack subnet create --network n2 --dhcp --gateway 192.168.72.1 --subnet-range 192.168.72.0/24 --allocation-pool start=192.168.72.2,end=192.168.72.254 sn2
openstack router create --distributed --ha r2
openstack router add subnet r2 sn2

openstack network create n3
openstack subnet create --network n3 --dhcp --gateway 192.168.73.1 --subnet-range 192.168.73.0/24 --allocation-pool start=192.168.73.2,end=192.168.73.254 sn3
openstack router create --distributed --ha r3
openstack router add subnet r3 sn3

2. Connect n1, n2 by adding legs on r2, r1.
Connect n1, n3 by adding legs on r3, r1.

openstack port create --network n1 to-n2
openstack router add port r2 to-n2
openstack port create --network n2 from-n2
openstack router add port r1 from-n2

openstack port create --network n1 to-n3
openstack router add port r3 to-n3
openstack port create --network n3 from-n3
openstack router add port r1 from-n3

3. Launch 2 VMs each on n1 and n2, lets say vm-n1-01, vm-n2-01
Update security groups to allow icmp traffic.
Ping from vm-n1-01 to vm-n2-01, and should be successful.

4. Detach the leg from n1 to n3 by removing n1 port on r3.

openstack router r3 remove port to-n3

5. Ping from vm-n1-01 to vm-n2-01 fails

The ICMP echo request reaches vm-n2-01 and reply sent back. The ICMP echo reply receives on the source compute node and gets dropped at br-int since there is no dvr-src mac flow.

Expectation: Removing a port on r3 should not affect traffic between n1 - n2.

The dvr-src mac rules should not be dropped when DVR router port is deleted unless it is the gateway port.

[1] https://opendev.org/openstack/neutron/src/branch/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_dvr_neutron_agent.py#L656-L664

Steps to reproduce:

1. Create 3 networks (n1, n2, n3) each connected to their internal routers (r1, r2, r3)

2. Connect n1, n2 by adding legs on r2, r1.
   Connect n1, n3 by adding legs on r3, r1.

openstack port create --network n1 to-n2
openstack router add port r2 to-n2
openstack port create --network n2 from-n2
openstack router add port r1 from-n2

openstack port create --network n1 to-n3
openstack router add port r3 to-n3
openstack port create --network n3 from-n3
openstack router add port r1 from-n3

3. Launch 2 VMs each on n1 and n2, lets say vm-n1-01, vm-n2-01
   Update security groups to allow icmp traffic.
   Ping from vm-n1-01 to vm-n2-01, and should be successful.

4. Detach the leg from n1 to n3 by removing n1 port on r3.

openstack router r3 remove port to-n3

5. Ping from vm-n1-01 to vm-n2-01 fails

The ICMP echo request reaches vm-n2-01 and reply sent back. The ICMP echo reply receives on the source compute node and gets dropped at br-int since there is no dvr-src mac flow.
  
   Expectation: Removing a port on r3 should not affect traffic between n1 - n2.

The dvr-src mac rules should not be dropped when DVR router port is deleted unless it is the gateway port.

[1] https://opendev.org/openstack/neutron/src/branch/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_dvr_neutron_agent.py#L656-L664