yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1559920] Re: Flows per in_port are deleted after SG rules are applied

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1559920@xxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Apr 2017 16:25:13 -0000
Reply-to: Bug 1559920 <1559920@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/406731
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c54c5791b43deada9936f0c9c5d8b681a3216893
Submitter: Jenkins
Branch:    master

commit c54c5791b43deada9936f0c9c5d8b681a3216893
Author: IWAMOTO Toshihiro <iwamoto@xxxxxxxxxxxxx>
Date:   Mon Dec 5 13:28:59 2016 +0900

    ovs-agent: Clear in_port=ofport flow earlier
    
    This is the minimum change to pass tempest's
    test_update_instance_port_admin_state test. Alternatively, the delete_flows
    could be changed to just deal with drop_port flows, which can affect
    3rd party codes.
    
    Change-Id: Id15eed5f21bc6842daceb28ee9bc660f20e9b04a
    Closes-Bug: #1559920


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1559920

Title:
  Flows per in_port are deleted after SG rules are applied

Status in neutron:
  Fix Released

Bug description:
  During the creation of a new port in the integration bridge (br-int),
  first the firewall rules are applied and then all flows matching this
  input port are deleted:

  if cur_tag != lvm.vlan:
                  self.int_br.delete_flows(in_port=port.ofport)

  This happens only when the port is created (or the vlan tag changes).
  If any firewall rule is applied using the in_port as a condition,
  during the initialization of the firewall for this port, this rule is
  deleted.

  Instead of that, this security action should be moved to the previous
  function, "_add_port_tag_info", in order to avoid any firewall rule
  deletion and maintaining the same security level during the port
  creation; that means the ports doesn't allow any kind of traffic until
  the firewall rules are applied.

  how to reproduce:

      Start the Neutron agent with the OVS firewall configured.
      Wait untill all ovs flows are stablished. You'll see some flows with conditions "in_port=xx". Those are set in "initialize_port_flows", in the OVS firewall.
      Stop the agent. No flow must be deleted. Make a capture of all the flows.
      Restart the agent. At this point, the VLAN tag should be different from the last one assigned by the agent.
      Now you can compare the flows in OVS to the lsit of flows in step 3.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1559920/+subscriptions

References

[Bug 1559920] [NEW] Flows per in_port are deleted after SG rules are applied
From: Rodolfo Alonso, 2016-03-21