[NETVIRT-67] Stateful SG - DHCP packets aren't allowed Created: 15/Aug/16 Updated: 03/May/18 Resolved: 18/Aug/16 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Boron |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Alon Kochba | Assignee: | Aswin Suryanarayanan |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 6423 |
| Description |
|
DHCP packets do not pass the stateful SG, resulting in a drop in the DHCP request and no IP assignment to the VM. For the request - the source port is 68 and the destination 67, but it seems that an egress (251) rule for this is missing, only the opposite direction exists (for response). The request falls on the drop rule. Same for the response in tables 40/41. Adding default flows for allow for both srcport 67 -> dstport 68 and the opposite direction, both for ingress and egress solved the DHCP. Same for using transparent SG instead of stateful. In any case these flows seem to be missing and not symmetric: root@alonko-devstack1:~# ovs-ofctl -OOpenFlow13 dump-flows br-int | grep "tp_src=67|tp_dst=67" |
| Comments |
| Comment by Aswin Suryanarayanan [ 16/Aug/16 ] |
|
The dhcp port should not have SG associated. DHCP port will be created with portsecurityenabled=true and later it will be updated to false. The update even was getting ignored and thus the port is bound with acl-service. Beyond that there was an issue with priority in egress pipeline. The same is addressed as well.[1] |
| Comment by Aswin Suryanarayanan [ 18/Aug/16 ] |