https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETVIRT-125 netvirt <p>These rules are configured when using transparent security groups - they are inherited from the generic SG implementation, and are automatically configured for all implementations.<br/> The part that is bothering us are the drop flows - why would any drop flows be configured, when the default OpenStack behavior is drop for everything?<br/> It would make sense to only explicitly allow certain traffic (such as DHCP requests in ingress and DHCP responses in egress).</p> <p>In addition, when extension_drivers = port_security is NOT configured in the neutron ml2_conf.ini, this causes DHCP to NOT WORK.<br/> This is because it is assumed that the qdhcp ports will always have port_security disabled by default. The problem is that this requires the port_security extension driver to actually be configured.<br/> We need to handle the case where it is not configured, and also consider getting rid of default drop rules - the point of transparent SG was that users that don't care about security don't have to deal with it.</p> <p>cookie=0x6900000, duration=1376.923s, table=40, n_packets=0, n_bytes=0, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=68,tp_dst=67 actions=resubmit(,17)<br/> cookie=0x6900000, duration=1376.921s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=546,tp_dst=547 actions=resubmit(,17)<br/> cookie=0x6900000, duration=1376.920s, table=40, n_packets=3, n_bytes=1122, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=67,tp_dst=68 actions=drop<br/> cookie=0x6900000, duration=1376.919s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=547,tp_dst=546 actions=drop<br/> cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63020,icmp6,metadata=0x20000000000/0x1fffff0000000000,icmp_type=134,icmp_code=0 actions=drop<br/> cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63010,icmp6,metadata=0x20000000000/0x1fffff0000000000 actions=resubmit(,17)<br/> cookie=0x6900000, duration=1376.915s, table=40, n_packets=10, n_bytes=420, priority=63010,arp,metadata=0x20000000000/0x1fffff0000000000,arp_sha=fa:16:3e:94:72:e8 actions=resubmit(,17)<br/> cookie=0x6900000, duration=1568.523s, table=40, n_packets=0, n_bytes=0, priority=0 actions=goto_table:41<br/> cookie=0x6900000, duration=1568.524s, table=41, n_packets=3, n_bytes=804, priority=0 actions=resubmit(,17)</p> <p>Operating System: All<br/> Platform: All</p> NETVIRT-125

Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules

Bug Resolved Done Unassigned Alon Kochba Thu, 8 Sep 2016 11:00:25 +0000 Thu, 3 May 2018 14:36:59 +0000 Sat, 3 Dec 2016 08:33:17 +0000 Boron General 0 2 <p>The service binding and default flows are removed from transparent SG <span class="error">&#91;1&#93;</span>.</p> <p>So with this if portsecurity extension is not configured , SG mode should be transparent in ODL.</p> <p><span class="error">&#91;1&#93;</span>https://git.opendaylight.org/gerrit/#/c/45418/</p> <p>(In reply to Aswin Suryanarayanan from comment #1)<br/> &gt; The service binding and default flows are removed from transparent SG <span class="error">&#91;1&#93;</span>.<br/> &gt; <br/> &gt; So with this if portsecurity extension is not configured , SG mode should be<br/> &gt; transparent in ODL.<br/> &gt; <br/> &gt; <span class="error">&#91;1&#93;</span>https://git.opendaylight.org/gerrit/#/c/45418/</p> <p>Hi Aswin,</p> <p>It seems you merged 45418 so I assume this ticket is off your radar.<br/> However I think it's important we fix the case where port_security is disabled for learn/stateful SG use cases as well - do you want to keep this ticket as reminder?</p> <p>Alon,</p> <p>&gt;In addition, when extension_drivers = port_security is NOT configured in the &gt;neutron ml2_conf.ini, this causes DHCP to NOT WORK.</p> <p>When this is not configured the is_port security enabled will return false(I hope that is the default value). If so I think no rules will be configured, it should be similar as transparent as we check for is_port security enabled</p> <p>(In reply to Aswin Suryanarayanan from comment #3)<br/> &gt; Alon,<br/> &gt; <br/> &gt; &gt;In addition, when extension_drivers = port_security is NOT configured in the &gt;neutron ml2_conf.ini, this causes DHCP to NOT WORK.<br/> &gt; <br/> &gt; When this is not configured the is_port security enabled will return false(I<br/> &gt; hope that is the default value). If so I think no rules will be configured,<br/> &gt; it should be similar as transparent as we check for is_port security enabled</p> <p>Aswin, missed your reply.<br/> The problem is that when it isn't enabled, there is no port_security field at all (so no default value).</p> <p>It seems Isaku attempted to fix it for old netvirt, we probably need the same in new netvirt.<br/> <a href="https://git.opendaylight.org/gerrit/#/c/48355" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/48355</a></p> <p>This is now addressed. SG will not be inserted for network ports.</p> <p><a href="https://git.opendaylight.org/gerrit/#/c/48902/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/48902/</a></p> Development External issue ID 6668 External issue URL Rank 0|i01pvb: