From b8a18dc22a8d3b5fa4d5915399feea88d4ceed9f Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Wed, 8 May 2019 14:16:49 +0200
Subject: [PATCH] Add info about nf_conntrack_proto_gre when ovs fw is used

When openvswitch firewall driver is used, it is required to load
nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM
working properly.
This patch adds such info in ovs firewall documentation as it should be
deployer decision to load or not load this module.

This patch also adds sanity check which checks if nf_conntrack_proto_gre
module is loaded or not, and can warn user when this module is not
loaded.
It also adds loading of this kernel module in neutron devstack plugin.

Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869
Closes-Bug: #1828053
---
 devstack/lib/ovs                        |  6 ++++++
 devstack/plugin.sh                      |  1 +
 doc/source/admin/config-ovsfwdriver.rst | 18 ++++++++++++++++++
 neutron/cmd/sanity/checks.py            | 10 ++++++++++
 neutron/cmd/sanity_check.py             | 12 ++++++++++++
 5 files changed, 47 insertions(+)

diff --git a/devstack/lib/ovs b/devstack/lib/ovs
index 337741b1eb7..8b8eac1c7f5 100644
--- a/devstack/lib/ovs
+++ b/devstack/lib/ovs
@@ -210,3 +210,9 @@ function remove_ovs_packages() {
         fi
     done
 }
+
+
+# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
+function load_conntrack_gre_module() {
+    sudo modprobe nf_conntrack_proto_gre
+}
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 311a9a210ac..8f4ba695b31 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -28,6 +28,7 @@ if [[ "$1" == "stack" ]]; then
                [[ "$Q_BUILD_OVS_FROM_GIT" == "True" ]]; then
                 remove_ovs_packages
                 compile_ovs True /usr /var
+                load_conntrack_gre_module
                 start_new_ovs
             fi
             ;;
diff --git a/doc/source/admin/config-ovsfwdriver.rst b/doc/source/admin/config-ovsfwdriver.rst
index bf8d32f37e9..f61d4abcbff 100644
--- a/doc/source/admin/config-ovsfwdriver.rst
+++ b/doc/source/admin/config-ovsfwdriver.rst
@@ -53,3 +53,21 @@ Enable the native OVS firewall driver
 For more information, see the
 :doc:`/contributor/internals/openvswitch_firewall`
 and the `video <https://www.youtube.com/watch?v=SOHeZ3g9yxM>`_.
+
+Using GRE tunnels inside VMs with OVS firewall driver
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If GRE tunnels from VM to VM are going to be used, the native OVS firewall
+implementation requires ``nf_conntrack_proto_gre`` module to be loaded in
+the kernel on nodes running the Open vSwitch agent.
+It can be loaded with the command:
+
+.. code-block:: console
+
+    # modprobe nf_conntrack_proto_gre
+
+Some Linux distributions have files that can be used to automatically load
+kernel modules at boot time, for example, ``/etc/modules``. Check with your
+distribution for further information.
+
+This isn't necessary to use ``gre`` tunnel network type Neutron.
diff --git a/neutron/cmd/sanity/checks.py b/neutron/cmd/sanity/checks.py
index 0c62035f206..d3c02a95538 100644
--- a/neutron/cmd/sanity/checks.py
+++ b/neutron/cmd/sanity/checks.py
@@ -19,6 +19,7 @@ import tempfile
 
 import netaddr
 from neutron_lib import constants as n_consts
+from neutron_lib import exceptions
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import uuidutils
@@ -42,6 +43,7 @@ LOG = logging.getLogger(__name__)
 MINIMUM_DNSMASQ_VERSION = 2.67
 DNSMASQ_VERSION_DHCP_RELEASE6 = 2.76
 MINIMUM_DIBBLER_VERSION = '1.0.1'
+CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre'
 
 
 def ovs_vxlan_supported(from_ip='192.0.2.1', to_ip='192.0.2.2'):
@@ -485,3 +487,11 @@ def ip_nonlocal_bind():
     finally:
         ip_lib.delete_network_namespace(nsname1)
     return ns1_value == 0
+
+
+def gre_conntrack_supported():
+    cmd = ['modinfo', CONNTRACK_GRE_MODULE]
+    try:
+        return agent_utils.execute(cmd, log_fail_as_error=False)
+    except exceptions.ProcessExecutionError:
+        return False
diff --git a/neutron/cmd/sanity_check.py b/neutron/cmd/sanity_check.py
index 10c8368588a..3bd6fed5586 100644
--- a/neutron/cmd/sanity_check.py
+++ b/neutron/cmd/sanity_check.py
@@ -220,6 +220,15 @@ def check_ovs_conntrack():
     return result
 
 
+def check_gre_conntrack():
+    result = checks.gre_conntrack_supported()
+    if not result:
+        LOG.warning('Kernel module %s is not loaded. GRE tunnels from '
+                    'VM to VM will not work with OVS firewall driver.',
+                    checks.CONNTRACK_GRE_MODULE)
+    return result
+
+
 def check_ebtables():
     result = checks.ebtables_supported()
     if not result:
@@ -323,6 +332,9 @@ OPTS = [
                     help=_('Check ovsdb native interface support')),
     BoolOptCallback('ovs_conntrack', check_ovs_conntrack,
                     help=_('Check ovs conntrack support')),
+    BoolOptCallback('gre_conntrack', check_gre_conntrack,
+                    help=_('Check if conntrack for gre tunnels traffic is '
+                           'supported')),
     BoolOptCallback('ebtables_installed', check_ebtables,
                     help=_('Check ebtables installation')),
     BoolOptCallback('keepalived_ipv6_support', check_keepalived_ipv6_support,