[Bug 1044318] Re: [SRU] pre-1.5 OVS has trouble with floating ips when pinging from the same box

Wed Sep 26 03:14:00 UTC 2012

Hello dan, or anyone else affected,

Accepted openvswitch into precise-proposed. The package will build now
and be available at
http://launchpad.net/ubuntu/+source/openvswitch/1.4.0-1ubuntu1.3 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from
verification-needed to verification-done.  If it does not, change the
tag to verification-failed.  In either case, details of your testing
will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: openvswitch (Ubuntu Precise)
       Status: Triaged => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1044318

Title:
  [SRU] pre-1.5 OVS has trouble with floating ips when pinging from the
  same box

Status in “openvswitch” package in Ubuntu:
  Fix Released
Status in “openvswitch” source package in Precise:
  Fix Committed

Bug description:
  [Impact]
  The connection tracking logic using by IPtables gets confused if a packet passes through multiple linux network namespaces on the same host. The reason for this confusion is that OVS is not properly clearing some of the fields in the skb header, meaning the connection tracking ignores this packet, so iptables functionality that relies on this (in particular DNAT and SNAT) do not work.

  In particular, the use of OVS by OpenStack Quantum is critically
  affected by this bug.

  [Fix]
  The issue has been fixed upstream as of 1.4.3. A minimal 5-liner that clears the appropriate metadata from the skb header.   The patch has been cherry-picked and fix released in the current Ubuntu dev. release (12.10).

  [Test Case]
  1. Create external network 40.0.0.0/24 for floating IPs
  2. Assign br-ex the IP 40.0.0.1
  3. Pinging 40.0.0.1 appears to work, but you're pinging the router, not the VM
  4. Network connectivity to the VM with the floating IP does not work, as expected.

  [Regression Potential]
  Minimal.  Simple patch that has been cherry-picked from the current upstream stable release of Openvswitch (1.4.3).

  [Original Report]
  Note: OVS from before 1.5, which includes the default versions shipped with 12.04 and Fedora 17, has a bug that causes it not to work correctly with floating IPs when the person contacting the floating IP is on the same box as quantum-l3-agent.

  While not very likely to happen in a production setup, this is fairly
  common in simple development environments.  For example, let's say you
  create an external network 40.0.0.0/24 for floating IPs.  If you then
  assign br-ex the IP 40.0.0.1, you should be able to reach all of your
  VMs with floating IPs, but it won't work because of this bug.  Oddly,
  it will often appear to work if you use ping, but in reality you are
  pinging the IP address in the router namespace, not the VM.

  We believe the following OVS commit it required for this to work
  properly:

  http://openvswitch.org/cgi-
  bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=53e6421bc83918ac2d00ba5516f205fa7e394140

  We are looking at creating a new stable release on the 1.4.x branch to
  include this change and plan to work with distros to get it pulled
  into their packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1044318/+subscriptions