[NETVIRT-92] Restart to an VM instance in OpenStack bypass ACL flows Created: 23/Aug/16 Updated: 03/May/18 Resolved: 30/Aug/16 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Boron |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Tomer Pearl | Assignee: | Aswin Suryanarayanan |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 6514 |
| Priority: | High |
| Description |
|
I have created 3 instances on a private network in OpenStack, without router (so i'm not using the L3 pipeline). Two instances on one compute and the third instance on a different compute. I have observed that there is no ping from the DHCP to the instances (and between themselves). Restart to an instance (in the OpenStack GUI), causes the flows in table 220 to change their actions and instead of a goto table 251 instruction, now there is an output to a port, which causes the ping to pass (both request and reply). Same thing for an instance on a different compute. I had ran ping from the DHCP server to an instance in different compute, a restart to the instance had cause the flows in the remote ovs to bypass the ACL table also. |
| Comments |
| Comment by Aswin Suryanarayanan [ 24/Aug/16 ] |
|
The AclInterface cache was getting cleaned on a interface state change. So when a vm is restarted, the Aclrules will be cleaned for stop(for the interface down) and will be added again when vm starts (interface up). Patch [1] is pushed to fix the same. [1]https://git.opendaylight.org/gerrit/#/c/44607/ |