Description of problem:
Ping to a router's interface from an instance fails unless a security group rule that allows ICMP is added
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Launch an instance
2. Ping to the router's internal address
Once the dependent ovs bug is merged, the temporary work around needs to be removed and we need to use the new ct_clear action in ODL pipeline.
The fix for 1501418 dosen't help to resolve the router ping issue. The ping reply packets generated is marked -trk in ovs pipeline and gets dropped. The bug 1554233 is raised for the same.
The issue seems to happen only in kernel datapath and not in dpdk. The bug is worked on and probably we will have an update by this week.
The dependent bug on ovs will take some time to be fixed hence a temporary workaround is added. This will try to resubmit the -trk packets once again to the netfilter , which in-turn the accurate state of the packet.
RH Gerrit => https://code.engineering.redhat.com/gerrit/#/c/137266/
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.