Public bug reported:
Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=2017048
When we switch back and forth between stateful to stateless security
group, the ACL rules in OVN are not updated.
The new ACL rules are created according to the SG mode though.
Steps to Reproduce:
1. The pre created SG is stateful
$ openstack security group show default -c stateful -f value
True
In a controller, we can list the ACLs as "allow-related"
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller
ovn-nbctl list ACL
_uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99
action : allow-related
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && udp"
meter : []
name : []
priority : 1002
severity : []
2. Switch to stateless SG:
$ openstack security group set --stateless default
Yet, the "list ACL" command shows that the rule still uses conntrack
(allow-related).
3. We create a new rule:
openstack security group rule create default --protocol tcp --dst-port 22:22
--remote-ip 0.0.0.0/0
Actual results:
The rules are a mix of allow-related and allow-stateless:
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti
ovn_controller ovn-nbctl list ACL
_uuid : fb970be6-493c-424a-b133-66dcbe3aedee
action : allow-stateless
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
meter : []
name : []
priority : 1002
severity : []
_uuid : 18cc8207-6489-49d9-bb57-31ed04b04726
action : allow-related
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && tcp"
meter : []
name : []
priority : 1002
severity : []
Expected results:
All rules should be "allow-stateless" or "allow-related" when we update the
security group to stateless or stateful.
** Affects: neutron
Importance: Undecided
Assignee: Ihar Hrachyshka (ihar-hrachyshka)
Status: In Progress
** Tags: ovn sg-fw
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1952653
Title:
OVN: stateless field update not reflected in OVN flows
Status in neutron:
In Progress
Bug description:
Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=2017048
When we switch back and forth between stateful to stateless security
group, the ACL rules in OVN are not updated.
The new ACL rules are created according to the SG mode though.
Steps to Reproduce:
1. The pre created SG is stateful
$ openstack security group show default -c stateful -f value
True
In a controller, we can list the ACLs as "allow-related"
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller
ovn-nbctl list ACL
_uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99
action : allow-related
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && udp"
meter : []
name : []
priority : 1002
severity : []
2. Switch to stateless SG:
$ openstack security group set --stateless default
Yet, the "list ACL" command shows that the rule still uses conntrack
(allow-related).
3. We create a new rule:
openstack security group rule create default --protocol tcp --dst-port 22:22
--remote-ip 0.0.0.0/0
Actual results:
The rules are a mix of allow-related and allow-stateless:
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti
ovn_controller ovn-nbctl list ACL
_uuid : fb970be6-493c-424a-b133-66dcbe3aedee
action : allow-stateless
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
meter : []
name : []
priority : 1002
severity : []
_uuid : 18cc8207-6489-49d9-bb57-31ed04b04726
action : allow-related
direction : to-lport
external_ids :
{"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 &&
ip4 && ip4.src == 0.0.0.0/0 && tcp"
meter : []
name : []
priority : 1002
severity : []
Expected results:
All rules should be "allow-stateless" or "allow-related" when we update the
security group to stateless or stateful.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1952653/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
