Clear skb mark on encapsulating packets

Looks like by default OVS tunnels inherit skb marks from tunneled packets. As a result Neutron IPTables marks set in qrouter namespace are inherited by VXLAN encapsulating packets. These marks may conflict with marks used by underlying networking (like Calico) and lead to VXLAN tunneled packets being dropped. This patch ensures that skb marks are cleared by OVS before entering a tunnel to avoid conflicts with IPTables rules in default namespace. Closes-Bug: #1839252 Change-Id: Id029be51bffe4188dd7f2155db16b21d19da1698 (cherry picked from commit 7627735252)
2019-08-07 12:14:18 +04:00 · 2019-08-07 12:14:18 +04:00 · 9f6d8c383f
parent 2e15b18679
commit 9f6d8c383f
1 changed files with 1 additions and 0 deletions
--- a/neutron/agent/common/ovs_lib.py
+++ b/neutron/agent/common/ovs_lib.py
@ -508,6 +508,7 @@ class OVSBridge(BaseOVS):
        options['local_ip'] = local_ip
        options['in_key'] = 'flow'
        options['out_key'] = 'flow'
+        options['egress_pkt_mark'] = '0'
        if tunnel_csum:
            options['csum'] = str(tunnel_csum).lower()
        if tos: