DVR functionality broken in OpenStack Platform 12 - conntrack doesn't track packages in specific network namespace if those packages were processed by CT --notrack target in other network namespace

Issue

DVR functionality is broken in OpenStack Platform 12 - conntrack doesn't track packages in specific network namespace if those packages were processed by CT --notrack target in other network namespace.

Red Hat OpenStack Platform uses multiple network namespaces to implement virtual networking infrastructure: routers, DHCP servers, firewalls, etc. Those namespaces are interconnected with OVS patches and internal interfaces.

There are problems with one particular type of OpenStack router: Distributed Virtual Router (DVR). DVR is implemented with two namespaces on compute host: qrouter-UUID and fip-UUID.

fip-UUID is directly connected to external network, serves as a router between external network and another DVR namespace and sends proxy-ARP replies to ARP requests for floating IP address.

qrouter-UUID is directly connected to fip-UUID namespace and linux bridge that is used to emulate network connection to VM. qrouter-UUID implements a set of NAT rules that translate floating IP address to real IP address of VM.

At this moment it is impossible to use reference DVR implementation with RHOSP12. The problem is described in the summary: OpenStack use stateless firewall in FIP namespace and there is following iptables rule in raw table:

-A PREROUTING -j neutron-l3-agent-PREROUTING
-A neutron-l3-agent-PREROUTING -j CT --notrack

One can use iptables counters and /proc/net/nf_conntrack data in qrouter-UUID namespace to troubleshoot this issue and observed the following things:

• traffic from external network to VM:

  • raw and mangle PREROUTING counters increased, nat counters are not.
  • connections are not shown in /proc/net/nf_conntrack

• traffic from VM to external network:

  • raw and mangle PREROUTING counters increased, nat counters are not.
  • connections in /proc/net/nf_conntrack are in UNREPLIED state

After notrack rule is removed from raw table of fip-UUID VM gets the whole network connectivity back.

How reproducible:
Deploy Red Hat OpenStack 12 with DVR, modify security groups, start VM, assign floating IP and try to ping external destinations (or initiate incoming connections from external network).