← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #66338

[Bug 1708092] [NEW] ovsfw sometimes rejects legitimate traffic when multiple remote SG rules are in use

  Thread PreviousDate PreviousThread Next 
Public bug reported:

ovsfw uses conjunction to represent SG rules with remote_group_id.
When there are multiple rules which differ only in remote_group_id, the ovsfw code generates flows with the same match fields and different conjuction actions. Such flows don't work well as the openflow spec says so.

An sequence to reproduce the bug:

$ openstack security group create sg1
$ openstack security group create sg2
$ openstack security group rule create --remote-group sg2 --dst-port 22:80 --protocol tcp --ingress sg1
$ openstack security group rule create --remote-group sg1 --dst-port 80 --protocol tcp --ingress sg1

Boot 3 instances: hoge1 (sg1), hoge2 (sg2), hoge12 (sg1 and sg2)

Start "nc -l -p 80" on hoge12.
Try to connect to hoge12:80 from hoge1 and hoge2. Either one should fail.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovs-fw sg-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1708092

Title:
  ovsfw sometimes rejects legitimate traffic when multiple remote SG
  rules are in use

Status in neutron:
  New

Bug description:
  ovsfw uses conjunction to represent SG rules with remote_group_id.
  When there are multiple rules which differ only in remote_group_id, the ovsfw code generates flows with the same match fields and different conjuction actions. Such flows don't work well as the openflow spec says so.

  An sequence to reproduce the bug:

  $ openstack security group create sg1
  $ openstack security group create sg2
  $ openstack security group rule create --remote-group sg2 --dst-port 22:80 --protocol tcp --ingress sg1
  $ openstack security group rule create --remote-group sg1 --dst-port 80 --protocol tcp --ingress sg1

  Boot 3 instances: hoge1 (sg1), hoge2 (sg2), hoge12 (sg1 and sg2)

  Start "nc -l -p 80" on hoge12.
  Try to connect to hoge12:80 from hoge1 and hoge2. Either one should fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1708092/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next