Bug 2060552

Summary: Userspace datapath drops the encapsulated packet with inner vlan if sent to the access port
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Ilya Maximets <i.maximets>
Component: openvswitch2.15Assignee: Open vSwitch development team <ovs-team>
Status: CLOSED ERRATA QA Contact: Hekai Wang <hewang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 22.ACC: ctrautma, hewang, jhsiao, ralongi, tredaelli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch2.13-2.13.0-178.el8fdp openvswitch2.15-2.15.0-97.el8fdp openvswitch2.15-2.15.0-54.el9fdp openvswitch2.16-2.16.0-72.el8fdp openvswitch2.16-2.16.0-56.el9fdp openvswitch2.17-2.17.0-13.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-09 00:27:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ilya Maximets 2022-03-03 18:40:22 UTC 
Assuming the following setup:

    Bridge br-int
        datapath_type: netdev
        Port vmPort
            tag: 7
            Interface vmPort
        Port gre0
            Interface gre0
                type: gre
            
    Bridge br-ex
        datapath_type: netdev
        Port br-ex
            tag: 2020
            Interface br-ex
        Port phyPort
            Interface phyPort

Both bridges with action NORMAL.

IP of br-ex is in the subnet of the remote ip of gre0 so encapsulated packet
is routed to the br-ex.

Packet received on vmPort.

Expected result:

1. Packet enters br-int.
2. vlan 7 pushed to the packet.
3. Packet sent to the gre0 port.
4. GRE header pushed to the packet.
5. Packet routed to br-ex.
6. vlan 2020 pushed to the packet (outer header)
7. Packet [VLAN 2020 | GRE | VLAN 7 | <origingal packet> ] sent to the phyPort.

Actual result:

Packet is dropped by OVS after the step 5:

    bridge("br-ex")
    ---------------
         0. priority 0
            NORMAL
             >>>> dropping VLAN 7 tagged packet received on port br-ex configured as VLAN 2020 access port <<<<
             >> disallowed VLAN VID for this input port, dropping

---

The same configuration is working as expected with the kernel datapath, but
doesn't with the userspace one.  It seems like OVS doesn't clear the vlan
metadata after encapsulation while processing output to the native tunnel,
so it thinks that the packet is still in vlan 7.
Comment 1 Ilya Maximets 2022-06-08 20:17:14 UTC 
Upstream commit:
  https://github.com/openvswitch/ovs/commit/c1c8cb8a1885a51b0366e9076d6ec567484017cb
Comment 12 errata-xmlrpc 2023-02-09 00:27:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openvswitch2.15 security, bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0687
Comment 13 Red Hat Bugzilla 2023-09-18 04:33:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days