[NETVIRT-125] Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules Created: 08/Sep/16 Updated: 03/May/18 Resolved: 03/Dec/16 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Boron |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Alon Kochba | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 6668 |
| Description |
|
These rules are configured when using transparent security groups - they are inherited from the generic SG implementation, and are automatically configured for all implementations. In addition, when extension_drivers = port_security is NOT configured in the neutron ml2_conf.ini, this causes DHCP to NOT WORK. cookie=0x6900000, duration=1376.923s, table=40, n_packets=0, n_bytes=0, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=68,tp_dst=67 actions=resubmit(,17) |
| Comments |
| Comment by Aswin Suryanarayanan [ 09/Sep/16 ] |
|
The service binding and default flows are removed from transparent SG [1]. So with this if portsecurity extension is not configured , SG mode should be transparent in ODL. [1]https://git.opendaylight.org/gerrit/#/c/45418/ |
| Comment by Alon Kochba [ 03/Nov/16 ] |
|
(In reply to Aswin Suryanarayanan from comment #1) Hi Aswin, It seems you merged 45418 so I assume this ticket is off your radar. |
| Comment by Aswin Suryanarayanan [ 10/Nov/16 ] |
|
Alon, >In addition, when extension_drivers = port_security is NOT configured in the >neutron ml2_conf.ini, this causes DHCP to NOT WORK. When this is not configured the is_port security enabled will return false(I hope that is the default value). If so I think no rules will be configured, it should be similar as transparent as we check for is_port security enabled |
| Comment by Alon Kochba [ 22/Nov/16 ] |
|
(In reply to Aswin Suryanarayanan from comment #3) Aswin, missed your reply. It seems Isaku attempted to fix it for old netvirt, we probably need the same in new netvirt. |
| Comment by Aswin Suryanarayanan [ 03/Dec/16 ] |
|
This is now addressed. SG will not be inserted for network ports. |