Description of problem:


Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-agent will handle them.

Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network.

Outgoing traffic is dropped in br-ex though..

Vague details here (it's all we have so far):
This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).

This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320


How reproducible:

100% if neutron-openvswitch-agent is down or broken

Steps to Reproduce:
1. stop neutron-openvswitch-agent
2. create a new router

Actual results:
The network node router ports will be inserted to br-int but left as untagged (trunk)


Expected results:
Ports are left on a dead vlan (4095) which will have no connectivity to other ports until they are finally tagged by agent.

Please note that such vlan is handled internally by openvswitch as a normal vlan and traffic could still happen over all local ports on 4095, although this is much less severe


Additional info:
This also serves as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1558336 where the issues becomes much worse were untagged ports exist in the system.