[NETVIRT-431] Unable to add an ingress security group rule when the remote-ip-prefix is un-masked Created: 16/Jan/17  Updated: 08/Apr/19  Resolved: 06/Jul/17

Status: Resolved
Project: netvirt
Component/s: General
Affects Version/s: Carbon
Fix Version/s: None

Type: Bug
Reporter: Sridhar Gaddam Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 7546

 Description   

Setup:
1. Stateful Security Groups enabled.
2. Create a tenant network with an IPv4 subnet and associate it to a Neutron router.
3. Create an external FLAT network with IPv4 subnet and associate the external network to the router.
4. Spawn a VM on the tenant network and associate a floating-ip to the VM.
5. Add an ingress security group rule with an unmasked remote-ip-prefix (f.e., 172.16.1.20/24)

You can see that ACL service does not program this flow in Table 252.
However, if we add the same ingress ACL rule with a masked prefix (i.e., 172.16.1.0/24), it works fine.

There is no error in karaf when step-5 is executed. So user will not be aware of this issue.
Though we can expect that user always enter a masked prefix, IMHO its good to support this use-case by handling this in ACL Service.

 Comments   
Comment by Sam Hague [ 18/Jan/17 ]

(In reply to Sridhar Gaddam from comment #0)
> Setup:
> 1. Stateful Security Groups enabled.
> 2. Create a tenant network with an IPv4 subnet and associate it to a Neutron
> router.
> 3. Create an external FLAT network with IPv4 subnet and associate the
> external network to the router.
> 4. Spawn a VM on the tenant network and associate a floating-ip to the VM.
> 5. Add an ingress security group rule with an unmasked remote-ip-prefix
> (f.e., 172.16.1.20/24)
>
> You can see that ACL service does not program this flow in Table 252.
> However, if we add the same ingress ACL rule with a masked prefix (i.e.,
> 172.16.1.0/24), it works fine.
>
> There is no error in karaf when step-5 is executed. So user will not be
> aware of this issue.
> Though we can expect that user always enter a masked prefix, IMHO its good
> to support this use-case by handling this in ACL Service.

Did you mean /24 for the unmasked case or should that be /32?

Comment by Sridhar Gaddam [ 19/Jan/17 ]

I meant /24 only. Agree that Ideally user should enter the prefix as "172.16.1.0/24", but IMHO even if he accidentally enters "172.16.1.20/24" we should be able to support.

Comment by balakrishnan k [ 06/Jul/17 ]

(In reply to Sridhar Gaddam from comment #2)
> I meant /24 only. Agree that Ideally user should enter the prefix as
> "172.16.1.0/24", but IMHO even if he accidentally enters "172.16.1.20/24" we
> should be able to support.

Hi Sridhar,
similar discussion happened on this bug.
https://bugs.opendaylight.org/show_bug.cgi?id=8561
OF Plugin says issue with OVS ,when OF plugin teying to push the flow using "/24" with fixed IP OVS returns error.

Generated at Wed Feb 07 20:21:32 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.