Bug 2179577 - With port-security disabled, all ingress traffic is flooded across all br-int ports
Summary: With port-security disabled, all ingress traffic is flooded across all br-int...
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 16.1 (Train)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Jakub Libosvar
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-18 19:48 UTC by David Hill
Modified: 2023-04-14 20:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-23221 0 None None None 2023-03-18 19:49:58 UTC

Description David Hill 2023-03-18 19:48:08 UTC 
Description of problem:
With port-security disabled, all ingress traffic is flooded across all br-int ports.   In this case, one guest has port-security disabled and when tcpdumping that port's tap, we see traffic destined to another VM hosted on the same compute.   It looks like there's no mac learning at all for this port.

We might be hitting those issues here:
https://bugs.launchpad.net/neutron/+bug/1732067
https://bugs.launchpad.net/neutron/+bug/1945306
https://bugs.launchpad.net/neutron/+bug/1866445
https://bugs.launchpad.net/neutron/+bug/1883321

Version-Release number of selected component (if applicable):
16.1.3

How reproducible:
Always

Steps to Reproduce:
1. Disable port security on a port
2.
3.

Actual results:
br-int ports are flooded with all ingress packets

Expected results:
mac learning all the way.

Additional info:
Note You need to log in before you can comment on or make changes to this bug.