Deal with a new behavior in Mitaka Neutron openvswitch plugin.
Huge hack. Somewhere in Mitaka, something starts removing the first flow rule from the table (and that is the rule allowing our control net iface ARP replies to go out!). So, put a simple rule at the head of the line that simply allows ARP replies from the local control net default gateway to arrive on our control net iface. This rule is of course eclipsed by the "Allow any inbound ARP replies on the control network" rule below -- thus it is safe to allow this arbitrary process to delete. Of course, there is probably some assumption that the plugin is making that might be going wrong. Oh well, let's wait for that to happen. Don't have time to read the code right now to find the remover-culprit.
Showing with 14 additions and 0 deletions