[#NETVIRT-1052] Default SG flow entries are overridden when ANY protocol SG is added to the server

[NETVIRT-1052] Default SG flow entries are overridden when ANY protocol SG is added to the server Created: 04/Jan/18 Updated: 06/Apr/18 Resolved: 06/Apr/18
Status:	Resolved
Project:	netvirt
Component/s:	None
Affects Version/s:	None
Fix Version/s:	None

Type:

Bug

Priority:

Medium

Reporter:

Arthi Bhattacharjee

Assignee:

Unassigned

Resolution:

Done

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Description

Setup:

3 control node

2 compute node

3 controller in cluster

DIstro: Nitrogen formal release

Steps to reproduce the issue:

Create a network
Create a VM for the server. By default, default SG is applied to the VM and relevant flow entries are present in the dump-flows. (ip rule and ipv6 rule)
Create a security group
Add ANY protocol rule (ingress and egress) to the security group
Apply the above security group to the VM

Observation:

There must be 2 ip rule flows but once SG is applied to the VM, ip rule is getting overridden.

DUMP-FLOWS

Default SG flows

cookie=0x6900001, duration=14.905s, table=243, n_packets=0, n_bytes=0, priority=62015,ct_state=+inv+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=70.491s, table=243, n_packets=0, n_bytes=0, priority=1000,ct_state=+new+trk,ipv6,reg6=0x19cf00/0xfffff00,metadata=0xfa0/0xfffffe actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900000, duration=70.491s, table=243, n_packets=0, n_bytes=0, priority=1007,ct_state=+new+trk,ip,reg6=0x19cf00/0xfffff00,metadata=0xfa0/0xfffffe actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900001, duration=73.136s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19cf00/0xfffff00 actions=drop
cookie=0x6900001, duration=14.923s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=160431.291s, table=243, n_packets=6, n_bytes=2028, priority=0 actions=drop

After adding ANY_SG flows:

cookie=0x6900001, duration=227.642s, table=243, n_packets=0, n_bytes=0, priority=62015,ct_state=+inv+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=9.853s, table=243, n_packets=0, n_bytes=0, priority=1012,ct_state=+new+trk,ip,reg6=0x19cf00/0xfffff00 actions=ct(commit,zone=5002),resubmit(,220)
cookie=0x6900001, duration=285.873s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19cf00/0xfffff00 actions=drop
cookie=0x6900001, duration=227.660s, table=243, n_packets=0, n_bytes=0, priority=50,ct_state=+new+trk,reg6=0x19d000/0xfffff00 actions=drop
cookie=0x6900000, duration=160644.028s, table=243, n_packets=6, n_bytes=2028, priority=0 actions=drop

Comments

Comment by Vinh Nguyen [ 06/Apr/18 ]

Issue reported/fixed in Boron. New netvirt doesn't have this problem

Generated at Wed Feb 07 20:23:07 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[NETVIRT-1052] Default SG flow entries are overridden when ANY protocol SG is added to the server Created: 04/Jan/18 Updated: 06/Apr/18 Resolved: 06/Apr/18