Public bug reported: When I attach port with disabled security to a vm, I am not able to use this port.
Steps to reproduce: 1. Create port and disable security: neutron port-create --name test-sec-group --no-security-groups <net_id> neutron port-update <port_id> --port-security-enabled=False 2. Attach port to vm nova interface-attach <server_id> --port-id <port_id> After this steps I am unable to use this port on the vm (for example obtain dhcp lease). The cause that I identified is that after this steps the iptables on the host with vm is not configured properly. I can't see rules that should be there: -A neutron-openvswi-FORWARD -m physdev --physdev-out <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT When I add this rules manually, everything works fine. Another scenario when everything works fine: change steps order - create port, attach it and then disable security. My environment: * Openstack mitaka on centos 7 * neutron version: neutron-8.2.0 * nova version: nova-13.1.1 ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1655579 Title: Attached port with disabled security does not work properly Status in neutron: New Bug description: When I attach port with disabled security to a vm, I am not able to use this port. Steps to reproduce: 1. Create port and disable security: neutron port-create --name test-sec-group --no-security-groups <net_id> neutron port-update <port_id> --port-security-enabled=False 2. Attach port to vm nova interface-attach <server_id> --port-id <port_id> After this steps I am unable to use this port on the vm (for example obtain dhcp lease). The cause that I identified is that after this steps the iptables on the host with vm is not configured properly. I can't see rules that should be there: -A neutron-openvswi-FORWARD -m physdev --physdev-out <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT When I add this rules manually, everything works fine. Another scenario when everything works fine: change steps order - create port, attach it and then disable security. My environment: * Openstack mitaka on centos 7 * neutron version: neutron-8.2.0 * nova version: nova-13.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1655579/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp