[#NETVIRT-158] ACL flows are missing when two SG's having some common rules are swapped for a VM

[NETVIRT-158] ACL flows are missing when two SG's having some common rules are swapped for a VM Created: 20/Sep/16 Updated: 27/Sep/16 Resolved: 27/Sep/16
Status:	Resolved
Project:	netvirt
Component/s:	General
Affects Version/s:	Boron
Fix Version/s:	None

Type:

Bug

Reporter:

Somashekar Byrappa

Assignee:

Somashekar Byrappa

Resolution:

Done

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Operating System: All
Platform: All

External issue ID:

6756

Description

Steps to reproduce:

1. Create network net1
2. Create subnet subnet1 10.0.1.0/24
3. Create security group sg1 and sg2 having some common rules. 22/tcp (ingress/egress) is common between both sg1 and sg2.

sg1	egress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
	egress, IPv4, 33/tcp, remote_ip_prefix: 0.0.0.0/0
	ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
	ingress, IPv4, 33/tcp, remote_ip_prefix: 0.0.0.0/0

sg2	egress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
	egress, IPv4, 44/tcp, remote_ip_prefix: 0.0.0.0/0
	ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
	ingress, IPv4, 44/tcp, remote_ip_prefix: 0.0.0.0/0

4. Create VM1 with sg1
5. Edit security groups for VM1 and change it to sg2 instead of sg1.

Observation:
-------------
The flows related to the common rules (i.e., 22/tcp on both ingress and egress) among both SG's sg1 and sg2 are not found.
Below flows are missing:

cookie=0x6900000, duration=6.342s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,17)
cookie=0x6900000, duration=6.359s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,220)

Expected behavior:
--------------------
Below flows are expected.
cookie=0x6900000, duration=6.342s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,17)
cookie=0x6900000, duration=6.340s, table=41, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=44 actions=ct(commit,zone=5000),resubmit(,17)

cookie=0x6900000, duration=6.359s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=22 actions=ct(commit,zone=5000),resubmit(,220)
cookie=0x6900000, duration=6.352s, table=252, n_packets=0, n_bytes=0, priority=61010,ct_state=+new+trk,tcp,metadata=0x30000000000/0x1fffff0000000000,tp_dst=44 actions=ct(commit,zone=5000),resubmit(,220)

Comments

Comment by Somashekar Byrappa [ 21/Sep/16 ]

https://git.opendaylight.org/gerrit/#/c/45892/2
https://git.opendaylight.org/gerrit/#/c/45957/1

Generated at Wed Feb 07 20:20:51 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[NETVIRT-158] ACL flows are missing when two SG's having some common rules are swapped for a VM Created: 20/Sep/16 Updated: 27/Sep/16 Resolved: 27/Sep/16