below is a trimmed email exchange that might provide better context to the issue.
Hi Shashidhar,
Since this behavior is currently breaking a use case in CSIT for the stateful implementation, could you please open a bug and update when a fix is available?
I also wonder why this case has been working for learn SG implementation - is there a possible bug there being too permissive?
Thanks,
--alon
----Original Message----
From: Shashidhar R shashidharr@altencalsoftlabs.com
Hi Daya,
Extra routes were not considered with ACL earlier; we will work on providing the fix.
Thanks,
Shashidhar
----Original Message----
From: Dayavanti Gopal Kamath dayavanti.gopal.kamath@ericsson.com
Hi Shashidhar,
Allowed_address_pair and extra routes are both peer neutron API, one should not call the other, rather both should translate into acl service api for programming the egress acl table entry with exceptions for the corresponding IP addresses, or routes as needed.
Thanks,
daya
----Original Message----
From: Shashidhar R shashidharr@altencalsoftlabs.com
Hi Hanamant,
You can use "allowed_address_pairs" parameter of Neutron port to specify additional IP/MAC pairs along with VM's fixed IP/MAC addresses. ACL will program all the required flows for ip/mac specified in "allowed_address_pairs" along with fixed ip/mac.
Thanks,
Shashidhar
----Original Message----
From: HANAMANTAGOUD V Kandagal hanamantagoud.v.kandagal@ericsson.com
Hi Aswin ,
I see that extra-route IP 50.1.1.2 (ex: 50.1.1.2 behind 10.1.1.3 in below testcase) is not programmed in Egress-ACL-Table.
Hence a ICMP packet to 50.1.1.2 from 10.1.1.4 gets dropped.
cookie=0x90111ab, duration=26.154s, table=36, n_packets=3, n_bytes=294, priority=5,tun_id=0x111ab actions=group:150007
group_id=150007,type=all,bucket=actions=set_field:fa:16:3e:df:81:fa->eth_dst,load:0x5c00->NXM_NX_REG6[],resubmit(,220)
cookie=0x6900000, duration=199.173s, table=220, n_packets=205, n_bytes=28355, priority=6,reg6=0x5c00 actions=load:0xe0005c00->NXM_NX_REG6[],write_metadata:0xe0005c0000000000/0xfffffffffffffffe,goto_table:251
cookie=0x6900000, duration=199.305s, table=251, n_packets=177, n_bytes=25632, priority=61010,ip,dl_dst=fa:16:3e:df:81:fa,nw_dst=10.1.1.3 actions=ct(table=252,zone=5035)
cookie=0x6900000, duration=3914.913s, table=251, n_packets=84, n_bytes=14390, priority=0 actions=drop
Thank you,
Hanamantagoud V Kandagal
Cloud SDN controller
Bangalore
The above link posted by Jamo i.e., :
https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-newton-upstream-transparent-boron/487/archives/log.html.gz#s1-s4-t10
has been analyzed and the failure has been root-caused same as 7939.
The fix for the same on stable/boron is waiting here:
https://git.opendaylight.org/gerrit/53772
https://git.opendaylight.org/gerrit/54272
We should land them both into stable/boron and only then we should revisit this bug.