Assuming the following setup: Bridge br-int datapath_type: netdev Port vmPort tag: 7 Interface vmPort Port gre0 Interface gre0 type: gre Bridge br-ex datapath_type: netdev Port br-ex tag: 2020 Interface br-ex Port phyPort Interface phyPort Both bridges with action NORMAL. IP of br-ex is in the subnet of the remote ip of gre0 so encapsulated packet is routed to the br-ex. Packet received on vmPort. Expected result: 1. Packet enters br-int. 2. vlan 7 pushed to the packet. 3. Packet sent to the gre0 port. 4. GRE header pushed to the packet. 5. Packet routed to br-ex. 6. vlan 2020 pushed to the packet (outer header) 7. Packet [VLAN 2020 | GRE | VLAN 7 | <origingal packet> ] sent to the phyPort. Actual result: Packet is dropped by OVS after the step 5: bridge("br-ex") --------------- 0. priority 0 NORMAL >>>> dropping VLAN 7 tagged packet received on port br-ex configured as VLAN 2020 access port <<<< >> disallowed VLAN VID for this input port, dropping --- The same configuration is working as expected with the kernel datapath, but doesn't with the userspace one. It seems like OVS doesn't clear the vlan metadata after encapsulation while processing output to the native tunnel, so it thinks that the packet is still in vlan 7.
Upstream commit: https://github.com/openvswitch/ovs/commit/c1c8cb8a1885a51b0366e9076d6ec567484017cb
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openvswitch2.15 security, bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0687
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days