Bug 1444368 - openvswitch firewall driver doesn't work properly when two ports on different network on the same compute node have the same mac address
Summary: openvswitch firewall driver doesn't work properly when two ports on different...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 12.0 (Pike)
Assignee: Jakub Libosvar
QA Contact: Roee Agiman
Depends On:
Blocks: 1385338 1452467
TreeView+ depends on / blocked
Reported: 2017-04-21 08:58 UTC by Jakub Libosvar
Modified: 2018-02-05 19:07 UTC (History)
11 users (show)

Fixed In Version: openstack-neutron-11.0.0-0.20170821141644.3441b3f.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 21:23:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1626010 0 None None None 2017-04-21 08:58:39 UTC
OpenStack gerrit 385085 0 'None' 'MERGED' 'ovsfw: Fix overlapping MAC addresses on integration bridge' 2019-12-06 18:09:39 UTC
Red Hat Bugzilla 1385338 0 high CLOSED [RFE] [Neutron] VLAN aware VMs (Neutron trunk ports) - full support 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1385338

Description Jakub Libosvar 2017-04-21 08:58:03 UTC
Description of problem:
It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this:

 openstack network create net0
 openstack network create net1
 openstack subnet create --network net0 --subnet-range subnet0
 openstack subnet create --network net1 --subnet-range subnet1
 openstack port create --network net0 port0
 parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
 openstack port create --network net1 --mac-address "$parent_mac" port1
 openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
 openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0

Then all packets are lost on the trunk's parent port:

 $ openstack server show vm0 | egrep addresses.*net0
 | addresses | net0= |
 $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3
 WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
 PING ( 56(84) bytes of data.

 --- ping statistics ---
 3 packets transmitted, 0 received, 100% packet loss, time 2016ms

If I change the firewall_driver to noop and redo the same I have connectivity.

If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Described in description

Actual results:

Expected results:

Additional info:

Comment 1 Assaf Muller 2017-07-07 19:23:29 UTC
The fix was approved upstream but CI never merged for some reason... I just rechecked the patch so that it has the chance to be merged. It should be available in the next downstream OSP 12 puddle.

Comment 4 Alexander Stafeyev 2017-10-15 13:59:30 UTC
Hi Kuba, 

SHould we add icmp allow to the SG in reproduction steps ? 


Comment 7 Jakub Libosvar 2017-10-16 07:56:14 UTC
(In reply to Alexander Stafeyev from comment #4)
> Hi Kuba, 
> SHould we add icmp allow to the SG in reproduction steps ? 
> tnx


Comment 13 Roee Agiman 2017-10-16 11:27:54 UTC
[stack@undercloud-0 ~]$ rpm -qa | grep openstack-neu

Comment 16 errata-xmlrpc 2017-12-13 21:23:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.