[ovn] Don't add conntrack entries for Geneve

As Geneve UDP traffic is allowed, there's no reason to create conntrack entries as it may result in a performance hit. This patch is preventing Geneve traffic to be sent to conntrack. Conflicts: deployment/ovn/ovn-controller-container-puppet.yaml Fixed conflict caused by switch from puppet-firewall to tripleo-ansible for firewall rule management. Closes-Bug: #1885551 Change-Id: I1eb6c77ea3cbdfaaa2b2a3fec0e6b8d2a71aae95 Signed-off-by: Daniel Alvarez <dalvarez@redhat.com> (cherry picked from commit a9e95b26bc)
2020-06-29 13:23:20 +02:00 · 2020-06-29 13:23:20 +02:00 · 359e6b0661
parent 2e594de84a
commit 359e6b0661
1 changed files with 14 additions and 0 deletions
--- a/deployment/ovn/ovn-controller-container-puppet.yaml
+++ b/deployment/ovn/ovn-controller-container-puppet.yaml
@ -211,6 +211,20 @@ outputs:
              '119 neutron geneve networks':
                    proto: 'udp'
                    dport: 6081
+              '120 neutron geneve networks no conntrack':
+                    proto:  'udp'
+                    dport:  6081
+                    table:  'raw'
+                    chain:  'OUTPUT'
+                    jump:   'NOTRACK'
+                    action: 'append'
+              '121 neutron geneve networks no conntrack':
+                    proto:  'udp'
+                    dport:  6081
+                    table:  'raw'
+                    chain:  'PREROUTING'
+                    jump:   'NOTRACK'
+                    action: 'append'
          - if:
              - force_config_drive
              - nova::compute::force_config_drive: true