Uploaded image for project: 'netvirt'
  1. netvirt
  2. NETVIRT-1052

Default SG flow entries are overridden when ANY protocol SG is added to the server

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Medium
    • Resolution: Done
    • None
    • None
    • None
    • None

    Description

      Setup:

      3 control node

      2 compute node 

      3 controller in cluster 

       

      DIstro: Nitrogen formal release 

       

      Steps to reproduce the issue:

      1. Create a network
      2. Create a VM for the server. By default, default SG is applied to the VM and relevant flow entries are present in the dump-flows. (ip rule and ipv6 rule)
      3. Create a security group 
      4. Add ANY protocol rule (ingress and egress) to the security group 
      5. Apply the above security group to the VM

      Observation:

      There must be 2 ip rule flows but once SG is applied to the VM, ip rule is getting overridden.

       

      DUMP-FLOWS

      Default SG flows

      cookie=0x6900001, duration=14.905s, table=243, n_packets=0, n_bytes=0, priority=62015,ct_state=+inv+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=70.491s, table=243, n_packets=0, n_bytes=0, priority=1000,ct_state=+new+trk,ipv6,reg6=0x19cf00/0xfffff00,metadata=0xfa0/0xfffffe actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900000, duration=70.491s, table=243, n_packets=0, n_bytes=0, priority=1007,ct_state=+new+trk,ip,reg6=0x19cf00/0xfffff00,metadata=0xfa0/0xfffffe actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900001, duration=73.136s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19cf00/0xfffff00 actions=drop
cookie=0x6900001, duration=14.923s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=160431.291s, table=243, n_packets=6, n_bytes=2028, priority=0 actions=drop

       

       After adding ANY_SG flows:

      cookie=0x6900001, duration=227.642s, table=243, n_packets=0, n_bytes=0, priority=62015,ct_state=+inv+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=9.853s, table=243, n_packets=0, n_bytes=0, priority=1012,ct_state=+new+trk,ip,reg6=0x19cf00/0xfffff00 actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900001, duration=285.873s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19cf00/0xfffff00 actions=drop
cookie=0x6900001, duration=227.660s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=160644.028s, table=243, n_packets=6, n_bytes=2028, priority=0 actions=drop

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Unassigned Unassigned
            arthi Arthi Bhattacharjee
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: