Uploaded image for project: 'netvirt'
  1. netvirt
  2. NETVIRT-430

Ping responder on tenant network and FIP-FIP traffic between vm in same n/w in same compute is not working in stateful SG mode.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Highest
    • Resolution: Done
    • Affects Version/s: Oxygen, Fluorine
    • Fix Version/s: Fluorine
    • Component/s: General
    • Labels:
    • Environment:

      Operating System: All
      Platform: All

    • External issue ID:
      7545

      Description

      On the tenant network, Netvirt supports ping to router interface address using OVS flows.
      This is achieved by programming the necessary flows [1] in Table21 (FIB_TABLE) to auto-respond to ping.

      However, when using "Stateful SG mode", this feature is broken and ACL service is dropping [2] the packets in Table252.
      This feature works fine in "SG transparent mode", when port-security is disabled on the port (obviously isn't it and when we explicitly add an ACL ingress rule to allow this traffic.

      [1] table=21, n_packets=6, n_bytes=588, priority=42,icmp,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.1,icmp_type=8,icmp_code=0 actions=move:NXM_OF_ETH_SRC[]>NXM_OF_ETH_DST[],set_field:fa:16:3e:87:0b:fc>eth_src,move:NXM_OF_IP_SRC[]>NXM_OF_IP_DST[],set_field:10.0.0.1>ip_src,set_field:0->icmp_type,load:0->NXM_OF_IN_PORT[],resubmit(,21)
      [2] table=252, n_packets=78, n_bytes=7644, priority=50,ct_state=+new+trk actions=drop

        Attachments

          Activity

            People

            Assignee:
            aswins Aswin Suryanarayanan
            Reporter:
            SridharG Sridhar Gaddam
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: