Bug 2179577

Summary: With port-security disabled, all ingress traffic is flooded across all br-int ports
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: openstack-neutronAssignee: Jakub Libosvar <jlibosva>
Status: NEW --- QA Contact: Eran Kuris <ekuris>
Severity: high Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: astupnik, averdagu, chrisw, dhill, jlibosva, scohen
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hill 2023-03-18 19:48:08 UTC 
Description of problem:
With port-security disabled, all ingress traffic is flooded across all br-int ports.   In this case, one guest has port-security disabled and when tcpdumping that port's tap, we see traffic destined to another VM hosted on the same compute.   It looks like there's no mac learning at all for this port.

We might be hitting those issues here:
https://bugs.launchpad.net/neutron/+bug/1732067
https://bugs.launchpad.net/neutron/+bug/1945306
https://bugs.launchpad.net/neutron/+bug/1866445
https://bugs.launchpad.net/neutron/+bug/1883321

Version-Release number of selected component (if applicable):
16.1.3

How reproducible:
Always

Steps to Reproduce:
1. Disable port security on a port
2.
3.

Actual results:
br-int ports are flooded with all ingress packets

Expected results:
mac learning all the way.

Additional info: