This is tracking the upstream effort needed to deliver the solution to the bug described below.
Problem Description: Clearly explain the issue.
With OVS-DPDK the following security group cannot deliver the fragmented packets.
The actual customer's rule is below.
$ openstack security group show --fit ac58c567-62a2-4dd6-9c1e-07158fc7dad5 +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2025-07-08T08:45:41Z | | description | test-sg | | id | ac58c567-62a2-4dd6-9c1e-07158fc7dad5 | | name | test-sg | | project_id | 6bbfe3db7b2248088c50e8bf0843bca9 | | revision_number | 4 | | rules | created_at='2025-07-09T01:01:47Z', direction='ingress', ethertype='IPv4', id='5ed88075-45c9-49ba-9abb-543dde9c175f', normalized_cidr='192.168.0.83/32', | | | port_range_max='8888', port_range_min='8888', protocol='udp', remote_ip_prefix='192.168.0.83/32', standard_attr_id='33460652', | | | updated_at='2025-07-09T01:01:47Z' | | | created_at='2025-07-08T08:45:41Z', direction='egress', ethertype='IPv4', id='98f4951f-e647-4680-b7b9-b5e7df96f026', standard_attr_id='33332675', | | | updated_at='2025-07-08T08:45:41Z' | | | created_at='2025-07-08T08:45:41Z', direction='egress', ethertype='IPv6', id='fec16e27-d0d5-479f-aa3f-38591c844c21', standard_attr_id='33332678', | | | updated_at='2025-07-08T08:45:41Z' | | stateful | True | | tags | [] | | updated_at | 2025-07-09T01:01:47Z | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+
Here, we're talking about the rule, UDP with Port:888.
This is not observed in non OVS-DPDK deployment.
Impact Assessment: Describe the severity and impact (e.g., network down,availability of a workaround, etc.).
The fragmented packet is not properly handled with security group and it will impact to tenant's security policy.
Software Versions: Specify the exact versions in use (e.g.,openvswitch3.1-3.1.0-147.el8fdp).
OVS22.12
Openvswitch3.1
Issue Type: Indicate whether this is a new issue or a regression (if a regression, state the last known working version).
Bug
Reproducibility: Confirm if the issue can be reproduced consistently. If not, describe how often it occurs.
Can be replicated on the customer's environment.
Reproduction Steps: Provide detailed steps or scripts to replicate the issue.
1. Deploy RHOSP17.1.2 with OVS-DPDK.
2. Run two instances then apply security group with port and IP range.
3. Send a fragmented packet then observe the reply from the target instance.
Expected Behavior: Describe what should happen under normal circumstances.
Sender VM can get responses from receiver VM.
Observed Behavior: Explain what actually happens.
Sender VM's packet doesn't deliver to receiver VM.
Troubleshooting Actions: Outline the steps taken to diagnose or resolve the issue so far.
This issue is observed in any size of fragmented packets. This means that if network MTU is 1480, but nping command with --mtu 1200 --data-length 1500 causes this issue.
Logs: If you collected logs please provide them (e.g. sos report, /var/log/openvswitch/* , testpmd console)
- is cloned by
-
FDP-3205 CLONE [ovn26.03 fast-datapath-rhel-9] - Upstream: With OVS-DPDK, Security group with IP and port range, fragmented packets matched to the rule were not delivered to instance.
-
- New
-
-
-
- New
-
-
-
- New
-
-
-
- New
-
-
-
- New
-
-
-
- New
-
-
-
- New
-
-
-
- New
-
