Uploaded image for project: 'netvirt'
  1. netvirt
  2. NETVIRT-158

ACL flows are missing when two SG's having some common rules are swapped for a VM

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Resolution: Done
    • Boron
    • None
    • General
    • None

    • Operating System: All
      Platform: All

    • 6756

    Description

      Steps to reproduce:

      1. Create network net1
      2. Create subnet subnet1 10.0.1.0/24
      3. Create security group sg1 and sg2 having some common rules. 22/tcp (ingress/egress) is common between both sg1 and sg2.

      sg1 egress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
        egress, IPv4, 33/tcp, remote_ip_prefix: 0.0.0.0/0
        ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
        ingress, IPv4, 33/tcp, remote_ip_prefix: 0.0.0.0/0
      sg2 egress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
        egress, IPv4, 44/tcp, remote_ip_prefix: 0.0.0.0/0
        ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
        ingress, IPv4, 44/tcp, remote_ip_prefix: 0.0.0.0/0

      4. Create VM1 with sg1
      5. Edit security groups for VM1 and change it to sg2 instead of sg1.

      Observation:
      -------------
      The flows related to the common rules (i.e., 22/tcp on both ingress and egress) among both SG's sg1 and sg2 are not found.
      Below flows are missing:

      cookie=0x6900000, duration=6.342s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,17)
      cookie=0x6900000, duration=6.359s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,220)

      Expected behavior:
      --------------------
      Below flows are expected.
      cookie=0x6900000, duration=6.342s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,17)
      cookie=0x6900000, duration=6.340s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=44 actions=ct(commit,zone=5000),resubmit(,17)

      cookie=0x6900000, duration=6.359s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,220)
      cookie=0x6900000, duration=6.352s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=44 actions=ct(commit,zone=5000),resubmit(,220)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            somashekar.byrappa@ericsson.com Somashekar Byrappa
            somashekar.byrappa@ericsson.com Somashekar Byrappa
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: