IPVS setup fails with openvswitch firewall driver, works with iptables_hybrid

Can You described in more details why it stopped working? On https://cloudbau.github.io/openstack/loadbalancing/networking/ipvs/2017/03/20/ipvs-direct-routing-on-top-of-openstack.html I see that port_security has to be disabled for ipvs-loadbalancer, was it like that for ports when openvswitch fw driver was used? Where exactly traffic was dropped?

@Slawek: That is actually a good question, that article was written against a linuxbridging setup. For our OVS deployment, we did not have port_security disabled, just added the VIP to allowed_address_pair on the LB and the servers.

tcpdump shows that the initial SYN/ACK handshake is completed successfully, but the first data packet is dropped on the way from the client to the LB. So this sounds similar to the appendix in the blog post, as it would match the firewall on the LB still having the connection in half-open tracking state.

The question now is whether this is the expected behaviour that iptables_hybrid firewalling is stateless while openvswitch native fw is stateful?

Or is it maybe even a bug (security issue?) that this setup works with iptables_hybrid and we should expect to get broken by an upcoming fix there?

If the mode was DR (direct routing), the LVS server and real server may have some config in different.
The LVS server (frontend) should disable the security group and port_security.
The real server (backend) should add allowed address pair with VIP, and set this VIP to the lo device.