Public bug reported: Stateful security group API extension is supported by OVN backend since [1] and [2] but it works properly only with OVN >= 21.06 which added support for "allow-stateless" action in ACL rules. Neutron currently supports still e.g. Ubuntu 20.04 which delivers OVN 20.03. In that case stateful SG API extension is available in Neutron and it allows users to create stateless SG but OVN will then silently ignore requested "allow-stateless" and will set "allow-related" for all ACL rules. Finally cloud's user will be using stateful SG rules even when stateless was requested and are shown in Neutron API. Because of that Neutron should check OVN version and remove this API extension from the enabled extensions list if OVN is not 21.06 or newer.
[1] https://review.opendev.org/c/openstack/neutron/+/789974 [2] https://review.opendev.org/c/openstack/neutron/+/816612 ** Affects: neutron Importance: Low Assignee: Slawek Kaplonski (slaweq) Status: New ** Tags: api ovn -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2003999 Title: Stateleful SG API extension should be disabled when old OVN is used Status in neutron: New Bug description: Stateful security group API extension is supported by OVN backend since [1] and [2] but it works properly only with OVN >= 21.06 which added support for "allow-stateless" action in ACL rules. Neutron currently supports still e.g. Ubuntu 20.04 which delivers OVN 20.03. In that case stateful SG API extension is available in Neutron and it allows users to create stateless SG but OVN will then silently ignore requested "allow-stateless" and will set "allow-related" for all ACL rules. Finally cloud's user will be using stateful SG rules even when stateless was requested and are shown in Neutron API. Because of that Neutron should check OVN version and remove this API extension from the enabled extensions list if OVN is not 21.06 or newer. [1] https://review.opendev.org/c/openstack/neutron/+/789974 [2] https://review.opendev.org/c/openstack/neutron/+/816612 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2003999/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
