← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #69416

[Bug 1708092] Re: ovsfw sometimes rejects legitimate traffic when multiple remote SG rules are in use

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/494428
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4ac4c22a646799aaecca61334a8bb44147ab881a
Submitter: Zuul
Branch:    master

commit 4ac4c22a646799aaecca61334a8bb44147ab881a
Author: IWAMOTO Toshihiro <iwamoto@xxxxxxxxxxxxx>
Date:   Thu Aug 17 15:13:53 2017 +0900

    ovsfw: Use multiple priorities in RULES_*_TABLE
    
    The OpenFlow spec says packets shouldn't match against multiple flows
    at the same priority or the result is undefined. In ovsfw, 8 priority
    levels are needed to comply with this rule.
    
    Note: unlike overlapping TCP port ranges cases, the current version
    of OVS seems to handle this case magically.
    
    Change-Id: I6deaee8dbe81453285b1fc685282952bc9456949
    Closes-bug: #1708092


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1708092

Title:
  ovsfw sometimes rejects legitimate traffic when multiple remote SG
  rules are in use

Status in neutron:
  Fix Released

Bug description:
  ovsfw uses conjunction to represent SG rules with remote_group_id.
  When there are multiple rules which differ only in remote_group_id, the ovsfw code generates flows with the same match fields and different conjuction actions. Such flows don't work well as the openflow spec says so.

  An sequence to reproduce the bug:

  $ openstack security group create sg1
  $ openstack security group create sg2
  $ openstack security group rule create --remote-group sg2 --dst-port 22:80 --protocol tcp --ingress sg1
  $ openstack security group rule create --remote-group sg1 --dst-port 80 --protocol tcp --ingress sg1

  Boot 3 instances: hoge1 (sg1), hoge2 (sg2), hoge12 (sg1 and sg2)

  Start "nc -l -p 80" on hoge12.
  Try to connect to hoge12:80 from hoge1 and hoge2. Either one should fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1708092/+subscriptions

References

  Thread PreviousDate PreviousThread Next