[NETVIRT-248] Sg - Missing src and dst port in learn rule for All Tcp and All Udp Created: 07/Nov/16  Updated: 15/Nov/16  Resolved: 15/Nov/16

Status: Resolved
Project: netvirt
Component/s: General
Affects Version/s: Boron
Fix Version/s: None

Type: Bug
Reporter: zan cohen Assignee: Alon Kochba
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Microsoft Word port missing in rule.docx     Zip Archive screen-karaf.zip    
External issue ID: 7105

 Description   

Description:
*************
Lunch 2 vms in same network and different Hosts:
vm_x(Sg1=egress for Tcp 80+ALL tcp),vm_y(Sg2=All protocol - ingress&Egress).

Action
*******
Try to open ssh from vm_x->vm_y - succeed
Try to open ssh from vm_y->vm_x - succeed (should fail!!!)

Defect
******
As it can be seen in All Tcp rule in table 42,no src and dst port.
This cause to condition that packets from external vm can send packets on learn rule.

Note!!
*******
Need to check for both All Tcp and All Icmp

root@devstack-man21-zan:~# ovs-ofctl dump-flows -OOpenFlow13 br-int | grep table=42
cookie=0x6900000, duration=1056.458s, table=42, n_packets=0, n_bytes=0, priority=61010,reg5=0x1 actions=resubmit(,17)
cookie=0x6900000, duration=446.635s, table=42, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x40000000000/0x1fffff0000000000,tp_dst=80 actions=learn(table=252,idle_timeout=18000,fin_idle_timeout=300,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,17)
cookie=0x6900000, duration=446.635s, table=42, n_packets=15, n_bytes=2506, priority=61010,tcp,metadata=0x40000000000/0x1fffff0000000000 actions=learn(table=252,idle_timeout=300,priority=61010,cookie=0x6900000,eth_type=0x800,NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_IP_PROTO[],load:0x1->NXM_NX_REG5[0..7]),resubmit(,17)
cookie=0x6900000, duration=1056.615s, table=42, n_packets=15, n_bytes=1418, priority=0 actions=drop

 Comments   
Comment by zan cohen [ 07/Nov/16 ]

Attachment port missing in rule.docx has been added with description: Missing information in All tcp rule

Comment by zan cohen [ 07/Nov/16 ]

Attachment screen-karaf.zip has been added with description: Karaf logs

Comment by Alon Kochba [ 08/Nov/16 ]

Nice find.
First major bug (regression) - in LearnIngressAcl/LearnEgressAcl, we check ifTcp or ifUdp according to existence of src/dst port match. This is wrong, we should check if ip_proto = TCP or UDP, since for all ports we dont set a src/dst at all

This raises another issue, though we might have to live with it as a known issue - if you were to configure an egress ALLOW ALL IP rule, the same would happen, and the above proposal would not fix it.
Of course this only happens if you already SSHed in from vm_x->vm_y, and until the idle timeout expires.

Comment by Alon Kochba [ 15/Nov/16 ]

https://git.opendaylight.org/gerrit/#/c/48135/

Generated at Wed Feb 07 20:21:05 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.