← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96049

[Bug 2115053] [NEW] conntrack flow created for stateless SG rule

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The following tobiko test checks that no conntrack flows are created on the compute when traffic matches a stateless SG:
https://github.com/redhat-openstack/tobiko/blob/master/tobiko/tests/scenario/neutron/test_security_groups.py#L345


When it is run on ubuntu jammy, with ovn 22.03.3, the test passes:
https://zuul.opendev.org/t/openstack/build/257ddfe2eec948978becfbc35c3ee548

Test logs:
https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_257/openstack/257ddfe2eec948978becfbc35c3ee548/tobiko_results_02_create_resources_scenario.html?sort=result
2025-06-20 02:39:34.376 102499 DEBUG tobiko.shell.sh._execute - Command executed:
command: 'hostname'
exit_status: 0
status: ShellExecuteStatus.SUCCEEDED
login: 'cirros@172.24.5.138:22'
stdout:
    mbxcvasf  
...
2025-06-20 02:39:34.408 102499 DEBUG tobiko.shell.sh._execute - Command executed:
command: 'sudo conntrack -L --proto tcp --dport 22 --dst 10.100.0.74'
exit_status: 0
status: ShellExecuteStatus.SUCCEEDED
login: 'zuul@199.204.45.155:22'
stderr:
    conntrack v1.4.6 (conntrack-tools): 0 flow entries have been shown.


When it is run on ubuntu noble, with ovn 24.03.2, the test fails:
https://zuul.opendev.org/t/openstack/build/e516a3e8621a49f8834554b11cd25f1f

Test logs:
https://2bce9a5fe66292c1b642-370e010525c6da286e6aa54793058fb2.ssl.cf2.rackcdn.com/openstack/e516a3e8621a49f8834554b11cd25f1f/tobiko_results_02_create_resources_scenario.html?sort=result
2025-06-20 06:58:27.459 100262 DEBUG tobiko.shell.sh._execute - Command executed:
command: 'hostname'
exit_status: 0
status: ShellExecuteStatus.SUCCEEDED
login: 'cirros@172.24.5.104:22'
stdout:
    vkilpqri
...
command: 'sudo conntrack -L --proto tcp --dport 22 --dst 10.100.0.240'
exit_status: 0
status: ShellExecuteStatus.SUCCEEDED
login: 'zuul@200.225.47.40:22'
stdout:
    tcp      6 119 SYN_SENT src=172.24.5.1 dst=10.100.0.240 sport=33704 dport=22 [UNREPLIED] src=10.100.0.240 dst=172.24.5.1 sport=22 dport=33704 mark=0 zone=10 use=1
    
stderr:
    conntrack v1.4.8 (conntrack-tools): 1 flow entries have been shown.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2115053

Title:
  conntrack flow created for stateless SG rule

Status in neutron:
  New

Bug description:
  The following tobiko test checks that no conntrack flows are created on the compute when traffic matches a stateless SG:
  https://github.com/redhat-openstack/tobiko/blob/master/tobiko/tests/scenario/neutron/test_security_groups.py#L345

  
  When it is run on ubuntu jammy, with ovn 22.03.3, the test passes:
  https://zuul.opendev.org/t/openstack/build/257ddfe2eec948978becfbc35c3ee548

  Test logs:
  https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_257/openstack/257ddfe2eec948978becfbc35c3ee548/tobiko_results_02_create_resources_scenario.html?sort=result
  2025-06-20 02:39:34.376 102499 DEBUG tobiko.shell.sh._execute - Command executed:
  command: 'hostname'
  exit_status: 0
  status: ShellExecuteStatus.SUCCEEDED
  login: 'cirros@172.24.5.138:22'
  stdout:
      mbxcvasf  
  ...
  2025-06-20 02:39:34.408 102499 DEBUG tobiko.shell.sh._execute - Command executed:
  command: 'sudo conntrack -L --proto tcp --dport 22 --dst 10.100.0.74'
  exit_status: 0
  status: ShellExecuteStatus.SUCCEEDED
  login: 'zuul@199.204.45.155:22'
  stderr:
      conntrack v1.4.6 (conntrack-tools): 0 flow entries have been shown.



  When it is run on ubuntu noble, with ovn 24.03.2, the test fails:
  https://zuul.opendev.org/t/openstack/build/e516a3e8621a49f8834554b11cd25f1f

  Test logs:
  https://2bce9a5fe66292c1b642-370e010525c6da286e6aa54793058fb2.ssl.cf2.rackcdn.com/openstack/e516a3e8621a49f8834554b11cd25f1f/tobiko_results_02_create_resources_scenario.html?sort=result
  2025-06-20 06:58:27.459 100262 DEBUG tobiko.shell.sh._execute - Command executed:
  command: 'hostname'
  exit_status: 0
  status: ShellExecuteStatus.SUCCEEDED
  login: 'cirros@172.24.5.104:22'
  stdout:
      vkilpqri
  ...
  command: 'sudo conntrack -L --proto tcp --dport 22 --dst 10.100.0.240'
  exit_status: 0
  status: ShellExecuteStatus.SUCCEEDED
  login: 'zuul@200.225.47.40:22'
  stdout:
      tcp      6 119 SYN_SENT src=172.24.5.1 dst=10.100.0.240 sport=33704 dport=22 [UNREPLIED] src=10.100.0.240 dst=172.24.5.1 sport=22 dport=33704 mark=0 zone=10 use=1
      
  stderr:
      conntrack v1.4.8 (conntrack-tools): 1 flow entries have been shown.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2115053/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next