From 359e6b066115c43853af8e9ac2399c5e49118480 Mon Sep 17 00:00:00 2001
From: Daniel Alvarez <dalvarez@redhat.com>
Date: Mon, 29 Jun 2020 13:23:20 +0200
Subject: [PATCH] [ovn] Don't add conntrack entries for Geneve

As Geneve UDP traffic is allowed, there's no reason to create
conntrack entries as it may result in a performance hit.

This patch is preventing Geneve traffic to be sent to conntrack.

Conflicts:
       deployment/ovn/ovn-controller-container-puppet.yaml

Fixed conflict caused by switch from puppet-firewall to tripleo-ansible
for firewall rule management.

Closes-Bug: #1885551
Change-Id: I1eb6c77ea3cbdfaaa2b2a3fec0e6b8d2a71aae95
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
(cherry picked from commit a9e95b26bc87c35f8efe54243fee8dcb4089f9b2)
---
 .../ovn/ovn-controller-container-puppet.yaml       | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml
index 6d517bd089..58d3432989 100644
--- a/deployment/ovn/ovn-controller-container-puppet.yaml
+++ b/deployment/ovn/ovn-controller-container-puppet.yaml
@@ -211,6 +211,20 @@ outputs:
               '119 neutron geneve networks':
                     proto: 'udp'
                     dport: 6081
+              '120 neutron geneve networks no conntrack':
+                    proto:  'udp'
+                    dport:  6081
+                    table:  'raw'
+                    chain:  'OUTPUT'
+                    jump:   'NOTRACK'
+                    action: 'append'
+              '121 neutron geneve networks no conntrack':
+                    proto:  'udp'
+                    dport:  6081
+                    table:  'raw'
+                    chain:  'PREROUTING'
+                    jump:   'NOTRACK'
+                    action: 'append'
           - if:
               - force_config_drive
               - nova::compute::force_config_drive: true