Comment 46 for bug 1815989

the issue is not related to the firewall used but rather a side effect of which firewall is enabel if any.

sepcific the iptables one set hybrid_plug=true and the rest set it to false.

when hybrid_plug=false libvirt plugs the tap into ovs causeing a race.
this will also happen if you disable security groups

anytime you use hybrid_plug=false the race happens.

most people dont know what hybrid plug is and do not disable security groups so i was just using the firewall driver as a proxy to not need to go in to that level of detail

https://www.rdoproject.org/networking/networking-in-too-much-detail/ describs what hybrid plug is in detial but its basically where we add intermediate linux bridges and veth pairs.

in that config we wait for neutron to finish wireing up the port fully before we start the live migration at the libvirt level and libvirt just add the vm tap to the linux bridge

with hybred_plug=false libvirt adds the tap directly to ovs just before it unpauses the vm and the vm start races with the neturon l2 agent or sdn contoler configuring the ovs bridge.