Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2049431

Summary: Traffic is dropped on ports if network has port security disabled
Product: Red Hat OpenStack Reporter: Jaganathan Palanisamy <jpalanis>
Component: python-networking-ovnAssignee: Jakub Libosvar <jlibosva>
Status: CLOSED DEFERRED QA Contact: Alex Katz <akatz>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: akatz, apevec, broose, chrisw, dalvarez, egarciar, hakhande, jlibosva, lhh, majopela, scohen, supadhya, vchundur, vkhitrin
Target Milestone: z4Keywords: Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-networking-ovn-7.4.2-2.20220409154863.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2090502 2145138 (view as bug list) Environment:
Last Closed: 2022-11-23 10:27:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2090502, 2145138    

Description Jaganathan Palanisamy 2022-02-02 09:24:41 UTC 
Description of problem:

Floating ip assignment persisted But connectivity to the geneve tunnel interface (direct) was unsuccessful.We needed to assign security group with icmp allow rule to the geneve port and connectivity was restored. However, offloading the traffic failed as we see packets on representor port via tcpdump. 
For Data traffic also same behavior and we needed to assign a security group with icmp allow rule to the vlan port and connectivity was restored. However, offloading the traffic failed as we see packets on representor port via tcpdump. 

Before migration, there were no security groups assigned to both vlan and vxlan direct ports. We validated the connectivity, traffic were offloaded for both the ports, so expecting the same behavior after migration as well.

we have two issues here,
1. why do we need to attach security group to make it work?
2. Why flows were not offloaded?

We removed security group again from vlan port , connectivity was successful and offloading was successful.

We removed security group again from vxlan port, connectivity was successful and offloading was unsuccessful.



Version-Release number of selected component (if applicable):
Linux kernel: 4.18.0-305.28.1.el8_4.x86_64
RHEL 8.4
openvswitch2.15-2.15.0-38.el8fdp.x86_64
ovn-2021-21.09.0-20.el8fdp.x86_64

How reproducible:

Always


Steps to Reproduce:
1.deploy ml2-ovs hw-offload
2. verify vlan and vxlan connectivity and offloading the traffic.
3.Start the OVN migration
4.Verify step2 again and it fails.

Actual results:
vlan and vxlan connectivity and offloading the traffic were unsuccessful.

Expected results:
vlan and vxlan connectivity and offloading the traffic should be successful after OVN migration successful.

Additional info:
Comment 2 Elvira 2022-02-15 14:18:04 UTC 
Hi Haresh,
Could we get an environment with hw-offload to reproduce and fix this? Further talk into the problem would be appreciated too.
Comment 16 Vadim Khitrin 2022-11-23 10:27:40 UTC 
Deferring in favor of BZ#2145138.