[GBP-18] Conditions do not work correctly - especially with inheritance Created: 11/Mar/15  Updated: 11/Oct/15  Resolved: 11/Oct/15

Status: Resolved
Project: groupbasedpolicy
Component/s: General
Affects Version/s: unspecified
Fix Version/s: None

Type: Bug
Reporter: Keith Burns Assignee: Konstantin Blagov
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Issue Links:
Blocks
is blocked by GBP-22 Source condition group gets aliased w... Resolved
External issue ID: 2815
Priority: Normal

 Description   

Fixed in current work.

FlowIDs not updated (no reference to "cond", and hence FlowMap not updated.

 Comments   
Comment by Keith Burns [ 01/Apr/15 ]

See Deadline. EP conditions already raised as bug, will be dealt with in Li

Comment by Keith Burns [ 01/Apr/15 ]

See #2934, will address

Comment by Thomas Bachman [ 28/May/15 ]

With the following policy (just showing contract portion):

"contract": [
{
"id": "5c4b9e66-e014-4102-8058-cc44cfa0f803"
"clause": [

{ "name": "allow-icmp-clause", "subject-refs": [ "allow-icmp-subject" ] }

,
{
"name": "allow-http-clause",
"subject-refs": [ "allow-http-subject" ],
"consumer-matchers": {
"consumer-matcher": [
{
"name": "infected-matcher",
"condition": [

{ "name": "not-infected", "inclusion-rule": "include" }

]
}
]
}
}

I would have expected that all Endpoints would be able to ping (covered by the "allow-icmp-clause" selecting the "allow-icmp-subject"), but only Endpoints with the "not-infected" condition to be able to pass HTTP traffic. However, I found that Endpoints with the "not-infected" condition couldn't ping. The reason is that their source condition group is different, which is stored in Nicira register 1 in our pipeline (in SourceMapper.java). When it reaches the PolicyEnforcer, the PolicyEnforcer tries matching ICMP on the "no conditions" value in register 1, and since the "not-infected" value is stored in register 1, the ICMP traffic isn't let through.

What's unclear is whether or not this is the expected behavior.

Comment by Konstantin Blagov [ 07/Jul/15 ]

These 2 fragments below show corrected RESTconf, and I get expected result, i.e. everyone can ping everyone, but only "not-infected" consumers can HTTP (those with no condition get "Connection timed out"). Will test further with "inclusion-rule": "excluded", and with both rules/conditions on different consumers.

POST http://controllerIp:port/restconf/operations/endpoint:register-endpoint
{
"input": {

"endpoint-group": "1eaf9a67-a171-42a8-9282-71cf702f61dd",
"condition": [
"not-infected"
],
etc...

in PUT tenant:
...
"contract": [
{
"id": "22282cca-9a13-4d0c-a67e-a933ebb0b0ae",
"subject": [
{
"name": "allow-icmp-subject",
"rule": [
{
"name": "allow-icmp-rule",
"classifier-ref": [

{ "name": "icmp" }

],
"action-ref": [

{ "name": "allow1", "order": 0 }

]
}
]
},
{
"name": "chain-http-subject",
"rule": [
{
"name": "chain-http-rule",
"classifier-ref": [

{ "name": "http-dest", "direction": "in" }

,

{ "name": "http-src", "direction": "out" }

],
"action-ref": [

{ "name": "allow1", "order": 0 }

]
}
]
}
],
"clause": [

{ "name": "allow-icmp-clause", "subject-refs": [ "allow-icmp-subject" ] }

,
{
"name": "chain-http-clause",
"subject-refs": [
"chain-http-subject"
],

"consumer-matchers": {
"condition-matcher": [
{
"name": "infected-matcher",
"match-type": "all",
"condition": [

{ "name": "not-infected", "inclusion-rule": "include" }

]
}
]
}

}
]
}
]
...

Comment by Konstantin Blagov [ 08/Jul/15 ]

After some testing tried, the result changed to initial: "not-infected" EP can HTTP, but cannot ping any provider, EP without condition can ping and cannot curl (it's expected)

Comment by Konstantin Blagov [ 17/Jul/15 ]

https://git.opendaylight.org/gerrit/#/c/24230/

Generated at Wed Feb 07 20:00:56 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.