Openstack 2023.2 ovn 23.09.3 VM with default security-group (permit ANY on egress) can't ping gateway in subnet, however ARP is ok, it can send traffic trough gateway and can ping external resources and other hosts in the subnet. Without port security it can ping gateway normally.
According to trace trace, I see that on the last hop there is no output action and there is marking ct_mark.blocked = 1
egress(dp="int-net", inport="f5f53d", outport="00a15c")
-------------------------------------------------------
0. ls_out_pre_acl (northd.c:7253): ip, priority 100, uuid 2dc7fa39
reg0[0] = 1;
next;
2. ls_out_pre_stateful (northd.c:7472): reg0[0] == 1, priority 100, uuid 4ad9d102
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
- ls_out_acl_hint (northd.c:7557): !ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0, priority 4, uuid 85114b3b
reg0[8] = 1;
reg0[10] = 1;
next;
- ls_out_acl_eval (northd.c:7794): reg0[10] == 1 && (outport == @neutron_pg_drop && ip), priority 2001, uuid 3ff77ec2
reg8[17] = 1;
ct_commit { ct_mark.blocked = 1; };
next;
- ls_out_acl_action (northd.c:7905): reg8[17] == 1, priority 1000, uuid d9f07b14
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
Does anybody know what logic is used to block icmp to gateway and is it possible to change this behavior?
