Right now every TCP connection made by an OpenStack VM that requires tunnelling will create a UDP conntrack entry. This not only has no benefit but core OVN team has identified a performance hit estimated roughly in a 10% in terms of throughput (it varies depending on the number of simultaneous TCP connections that requires tunnelling). A possible solution to this issue is adding iptables rules in the overcloud nodes to avoid tracking Geneve traffic: iptables -t raw -A PREROUTING -p udp --dport 6081 -j NOTRACK iptables -t raw -A OUTPUT -p udp --dport 6081 -j NOTRACK
The following commit (upstream https://review.opendev.org/c/openstack/tripleo-heat-templates/+/738419) is in branches rhos-17.0-rhel-9-trunk and rhos-17.0-rhel-8-trunk in pkgs.devel.redhat.com/rpms/openstack-tripleo-heat-templates commit 51e433265b7118d016a3ccba99d00a6896a982a5 Author: OSP Prod Chain <dev-null> Date: Sat Aug 15 14:17:27 2020 -0400 openstack-tripleo-heat-templates-XXX-XXX Changelog: - Update patches - [ovn] Don't add conntrack entries for Geneve I couldn't find the corresponding commits in rhos-16.0-rhel-8-trunk, rhos-16.1-rhel-8-trunk or remotes/origin/rhos-16.2-rhel-8-trunk. So, I'm backporting https://review.opendev.org/c/openstack/tripleo-heat-templates/+/738419 to these branches
Cherry picked to stable/Train branch upstream: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/848907
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8796
It seems the rules have state NEW so didn't match the traffic, I added the code upstream[1] to match it with the state INVALID. https://review.opendev.org/c/openstack/tripleo-heat-templates/+/868743