[NETVIRT-499] Flows not added for TCP security group rule with no min/max Created: 28/Feb/17  Updated: 09/Mar/18  Resolved: 09/Mar/18

Status: Resolved
Project: netvirt
Component/s: None
Affects Version/s: Boron
Fix Version/s: None

Type: Bug Priority: Medium
Reporter: Vinh Nguyen Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 7863

 Description   

ODL version: Boron SR2

When add a simple TCP egress rule from command line, there is no flow added to the OVS even though karaf log shows the flow is written successfully.

Steps to reproduce:

  • create network/subnet
  • create SG sg1
  • create egress TCP rule from command line below:

neutron security-group-rule-create --direction egress --protocol tcp --ethertype IPv4

  • create vm1 with sg1
  • expect: flow entries for allowing tcp egress from the vm added to the switch
  • actual: no flow entries for allowing tcp egress added to the switch

This issue might happen for adding TCP ingress rule and UDP ingress/egress rules to VM as well.

 Comments   
Comment by Vinh Nguyen [ 28/Feb/17 ]

The ovs-vswitch shows the following errors flow entries for the TCP/UDP all range are pushed down:

2017-02-28T11:21:30.508Z|00126|meta_flow|WARN|source field tcp_dst lacks correct prerequisites
2017-02-28T11:21:30.509Z|00127|connmgr|INFO|br-int<->tcp:192.168.254.41:6653: sending OFPBAC_MATCH_INCONSISTENT error reply to OFPT_FLOW_MOD message

Further investigation shows that the flow entry does not have the layer 4 information, hence the error messages

Comment by Vinh Nguyen [ 01/Mar/17 ]

Code review:
stable/boron
https://git.opendaylight.org/gerrit/#/c/52426/

master
https://git.opendaylight.org/gerrit/#/c/52519/

Generated at Wed Feb 07 20:21:43 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.