Comment 8 for bug 1866445

@LIU Yulong, yes, we enabled l2pop and arpresponder, and use DVR, firewall_dirver is iptables_hybrid, to be clarified, your fix patch can't fix our issue because your fix patch is openvswitch firewall only.

From ovs-ofctl -Oopenflow13 dump-flows br-int, we can see VM-to-VM traffic hits NORMAL action, ovs-appctl dpif/dump-flows can see the traffic is output to many ofports, what is very weird is br-int can learn MAC once the subnet VMs host is removed from router.

The below is neutron openvswitch agent config in our compute node.

cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[DEFAULT]
[agent]
tunnel_types =vxlan
vxlan_udp_port = 4789
l2_population = True
arp_responder = True
enable_distributed_routing = True
drop_flows_on_start = False

[network_log]
[ovs]
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = xxx.xxx.xxx.xxx
bridge_mappings = physnet1:br-floating
[securitygroup]
firewall_driver = iptables_hybrid
enable_security_group = True