[GBP-69] BUG: Duplicate flows in policy enforcer. Created: 31/May/15 Updated: 15/Jun/15 Due: 01/Jun/15 Resolved: 15/Jun/15 |
|
| Status: | Resolved |
| Project: | groupbasedpolicy |
| Component/s: | General |
| Affects Version/s: | unspecified |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Keith Burns | Assignee: | Martin Sunal |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 3460 |
| Priority: | Highest |
| Description |
|
When creating a Nova "port" with basic IPv4 ingress/egress: https://gist.github.com/3230000010f5f89d0404 I see flows filtered on subnet ie leveraging EIC. https://gist.github.com/eaea3770ba4eb83cfb79 This is incorrect. EIC should be used in Neutron mapping for security-group rules with prefixes, not subnets that are provisioned. There maybe subnets: 10.0.0.0/24, 10.0.1.0/24 and 10.0.3.0/24 Unless a user EXPLICITLY states a prefix rule in a security group, these should not be used. ie. a user may specific a rule 10.0.0.0/8 and THAT should go into the EIC. |
| Comments |
| Comment by Keith Burns [ 31/May/15 ] |
|
More data: Table4: POLICY_ENFORCER: Testing script on single node devstack: No prefix in security group rules. |
| Comment by Keith Burns [ 31/May/15 ] |
|
I see the issue now, these are DHCP flows? Note that we don't have IP addresses in DHCP queries, hence it doesn't make sense to do this. DHCP is handled initially via broadcast, so will probably bypass this until the resolution phase. It maybe worth having someone look at all the duplicate flows. renaming bug and lowering priority. |
| Comment by Keith Burns [ 01/Jun/15 ] |
|
You can use the below scripts to reproduce this. |
| Comment by Martin Sunal [ 03/Jun/15 ] |
| Comment by Keith Burns [ 15/Jun/15 ] |
|
Resolved with FlowIds |