← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1952653] [NEW] OVN: stateless field update not reflected in OVN flows

 

Public bug reported:

Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=2017048

When we switch back and forth between stateful to stateless security
group, the ACL rules in OVN are not updated.

The new ACL rules are created according to the SG mode though.


Steps to Reproduce:
1. The pre created SG is stateful
$  openstack security group show default -c stateful -f value
True

In a controller, we can list the ACLs as "allow-related"
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL

_uuid               : e31f56a6-a373-4f0f-b690-dafd7b964d99
action              : allow-related
direction           : to-lport
external_ids        : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"}
log                 : false
match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp"
meter               : []
name                : []
priority            : 1002
severity            : []


2. Switch to stateless SG:
$ openstack security group set --stateless default

Yet, the "list ACL" command shows that the rule still uses conntrack
(allow-related).

3. We create a new rule:
openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0


Actual results:

The rules are a mix of allow-related and allow-stateless:

[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti
ovn_controller ovn-nbctl list ACL


_uuid               : fb970be6-493c-424a-b133-66dcbe3aedee
action              : allow-stateless
direction           : to-lport
external_ids        : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"}
log                 : false
match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
meter               : []
name                : []
priority            : 1002
severity            : []

_uuid               : 18cc8207-6489-49d9-bb57-31ed04b04726
action              : allow-related
direction           : to-lport
external_ids        : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"}
log                 : false
match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp"
meter               : []
name                : []
priority            : 1002
severity            : []


Expected results:
All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful.

** Affects: neutron
     Importance: Undecided
     Assignee: Ihar Hrachyshka (ihar-hrachyshka)
         Status: In Progress


** Tags: ovn sg-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1952653

Title:
  OVN: stateless field update not reflected in OVN flows

Status in neutron:
  In Progress

Bug description:
  Originally reported at:
  https://bugzilla.redhat.com/show_bug.cgi?id=2017048

  When we switch back and forth between stateful to stateless security
  group, the ACL rules in OVN are not updated.

  The new ACL rules are created according to the SG mode though.

  
  Steps to Reproduce:
  1. The pre created SG is stateful
  $  openstack security group show default -c stateful -f value
  True

  In a controller, we can list the ACLs as "allow-related"
  [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL

  _uuid               : e31f56a6-a373-4f0f-b690-dafd7b964d99
  action              : allow-related
  direction           : to-lport
  external_ids        : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"}
  log                 : false
  match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp"
  meter               : []
  name                : []
  priority            : 1002
  severity            : []


  2. Switch to stateless SG:
  $ openstack security group set --stateless default

  Yet, the "list ACL" command shows that the rule still uses conntrack
  (allow-related).

  3. We create a new rule:
  openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0

  
  Actual results:

  The rules are a mix of allow-related and allow-stateless:

  [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti
  ovn_controller ovn-nbctl list ACL

  
  _uuid               : fb970be6-493c-424a-b133-66dcbe3aedee
  action              : allow-stateless
  direction           : to-lport
  external_ids        : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"}
  log                 : false
  match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
  meter               : []
  name                : []
  priority            : 1002
  severity            : []

  _uuid               : 18cc8207-6489-49d9-bb57-31ed04b04726
  action              : allow-related
  direction           : to-lport
  external_ids        : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"}
  log                 : false
  match               : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp"
  meter               : []
  name                : []
  priority            : 1002
  severity            : []


  Expected results:
  All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1952653/+subscriptions



Follow ups