Operating System: All
Platform: All

Attachment dump-flows.txt has been added with description: Dump-flows

Attachment karaf_logs.zip has been added with description: Karaf logs

Additional issue found:

Steps:

• Created SG1 with ICMP all ingress and egress rules.
• Created 2 VMs with SG1 and verified ping communication between the VMs.
• Removed ICMP all ingress and egress rules from SG1.
• Verified Ping communication between VMS

Observation:

• The communication between the VM is still working and flows are sustained.

Expected behavior:

• Ping has to fail.

Note:
While adding/removing rules from SG1, flows are not added/removed appropriately.

Following is the observation for the bug:
Flows are not installed when the last rule that is removed from the Security Group and after deleting the all rules, first rule that is added to the same security group.

Patch ref:: https://git.opendaylight.org/gerrit/#/c/56279
Class: AclEventListener.java

if (!AclServiceUtils.isOfAclInterest(aclAfter) || !AclServiceUtils.isOfAclInterest(aclBefore)) {
LOG.trace("before {} and/or after {} does not have SecurityRuleAttr augmentation",
aclBefore.getAclName(), aclAfter.getAclName());
return;
}
When the event is received, the above condition checks whether before and after ACL are not empty.
If either of those are empty, deletion and addition of rules are not processed.

Scenario#1: While deleting last rule from the Security Group.
-> AclServiceUtils.isOfAclInterest(aclAfter) is false. Thus, the condition satisfied and returns from the method.
-> Because aclAfter is empty.

Scenario#2: While adding the first rule to the same Security Group after deleting the previous rules
-> AclServiceUtils.isOfAclInterest(aclAfter) will be true but, AclServiceUtils.isOfAclInterest(aclBefore) will be false. Thus, the condition satisfied and returns from the method.
-> Because aclBefore is empty.

Patch fix: https://git.opendaylight.org/gerrit/#/c/59213/