For the love of Pete, why does br-ex have a drop flow?!!

asked 2016-06-09 14:46:02 -0600

eyeofthebeholder gravatar image

Nothing seems to be able to get through br-ex... When I try and ping something external from the instance, traffic gets through the DVR router, which sends traffic to the SNAT namespace, to be able to forward traffic externally, needs to populate it's next-hop arp entry, so it sends out an arp request... That arp request makes it to the br-ex bridge, where, according to the flows on that bridge, simply drops the arp request (see flows below...)

ovs-ofctl dump-flows br-ex NXST_FLOW reply (xid=0x4): cookie=0x9aed292defb23897, duration=4247.101s, table=0, n_packets=2719, n_bytes=141881, idle_age=0, priority=2,in_port=1 actions=resubmit(,1) cookie=0x9aed292defb23897, duration=4248.055s, table=0, n_packets=0, n_bytes=0, idle_age=4248, priority=0 actions=NORMAL cookie=0x9aed292defb23897, duration=4247.066s, table=0, n_packets=297239, n_bytes=12534954, idle_age=0, priority=1 actions=resubmit(,3) cookie=0x9aed292defb23897, duration=4247.033s, table=1, n_packets=2719, n_bytes=141881, idle_age=0, priority=0 actions=resubmit(,2) cookie=0x9aed292defb23897, duration=4247.004s, table=2, n_packets=2719, n_bytes=141881, idle_age=0, priority=2,in_port=1 actions=drop

I can (and have) manually added flows with higher priorities, to allow the arp traffic out, but manual isn't the right solution...

WHY!!!!! Why are these flows here? Any help would be greatly appreciated!

answered 2016-06-09 17:50:10 -0600

eyeofthebeholder gravatar image

Ok, found my issue... I didn't realize bridge_mappings needed to map to the actual name of a external network!

answered 2016-07-05 22:16:35 -0600

james-denton gravatar image

Nice work. With OVS, bridge_mappings must contain mappings of network labels (i.e. physnet1) to actual bridge names. In your case, br-ex. With that information, any time you have a provider network whose provider:physical_network attribute is 'physnet1', the OVS agent will create the appropriate flows on the br-int and br-ex bridges. The nice thing about the mapping is the bridge itself can change if needed. The Neutron networks only refer to the label, so if you change the mapping and restart Neutron services/agents, the flows should land on the respective bridge.

Asked: 2016-06-09 14:46:02 -0600

Seen: 427 times

Last updated: Jul 05 '16