Public bug reported: Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=2017048
When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated. The new ACL rules are created according to the SG mode though. Steps to Reproduce: 1. The pre created SG is stateful $ openstack security group show default -c stateful -f value True In a controller, we can list the ACLs as "allow-related" [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp" meter : [] name : [] priority : 1002 severity : [] 2. Switch to stateless SG: $ openstack security group set --stateless default Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related). 3. We create a new rule: openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0 Actual results: The rules are a mix of allow-related and allow-stateless: [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : fb970be6-493c-424a-b133-66dcbe3aedee action : allow-stateless direction : to-lport external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" meter : [] name : [] priority : 1002 severity : [] _uuid : 18cc8207-6489-49d9-bb57-31ed04b04726 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp" meter : [] name : [] priority : 1002 severity : [] Expected results: All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful. ** Affects: neutron Importance: Undecided Assignee: Ihar Hrachyshka (ihar-hrachyshka) Status: In Progress ** Tags: ovn sg-fw -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1952653 Title: OVN: stateless field update not reflected in OVN flows Status in neutron: In Progress Bug description: Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=2017048 When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated. The new ACL rules are created according to the SG mode though. Steps to Reproduce: 1. The pre created SG is stateful $ openstack security group show default -c stateful -f value True In a controller, we can list the ACLs as "allow-related" [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp" meter : [] name : [] priority : 1002 severity : [] 2. Switch to stateless SG: $ openstack security group set --stateless default Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related). 3. We create a new rule: openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0 Actual results: The rules are a mix of allow-related and allow-stateless: [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : fb970be6-493c-424a-b133-66dcbe3aedee action : allow-stateless direction : to-lport external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" meter : [] name : [] priority : 1002 severity : [] _uuid : 18cc8207-6489-49d9-bb57-31ed04b04726 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp" meter : [] name : [] priority : 1002 severity : [] Expected results: All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1952653/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp