[OVN/OVS] security groups erroneously dropping IGMP/multicast traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
Trying to use IGMP/multicast on a bionic-ussuri cloud, instances receive the multicast traffic, but the replies back are dropped from the computes
conntrack shows:
icmp 1 29 src=172.27.18.70 dst=239.0.10.10 type=8 code=0 id=1699 [UNREPLIED] src=239.0.10.10 dst=172.27.18.70 type=0 code=0 id=1699 mark=0 zone=8 use=1
Workaround is to disable port security on all attached to the instances networks, disable port security on all instances and remove all ports/VMs that have port security enabled and any security groups associated and enabled, even thou they are not part of the multicast traffic.
packages:
neutron-common 2:16.2.
neutron-
openvswitch-common 2.13.1-
openvswitch-switch 2.13.1-
ovn-common 20.03.1-
ovn-host 20.03.1-
python3-neutron 2:16.2.
python3-neutron-lib 2.3.0-0ubuntu1~
python3-
python3-openvswitch 2.13.1-
summary: |
- [OVN/OVS] security groups wrongly dropping IGMP/multicast traffic + [OVN/OVS] security groups erroneously dropping IGMP/multicast traffic |
Hi Diko,
Enabling UDP traffic does not work ?
$ openstack security group rule create --protocol udp --ingress <SG>
$ openstack security group rule create --protocol udp --egress <SG>