OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [NETVIRT-160] Learn SG - correct matches for rules for ICMP and other general changes https://jira.opendaylight.org/browse/NETVIRT-160 netvirt <p>1. When configuring an ICMP allow rule - I got this:<br/> table=42, priority=61010,ip,metadata=0x30000000000/0x1fffff0000000000 actions=learn(table=252,idle_timeout=60,hard_timeout=60,priority=61010,cookie=0x6900000,eth_type=0x800,NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_PROTO[],load:0x1-&gt;NXM_NX_REG6<span class="error">&#91;0..7&#93;</span>),resubmit(,17)</p> <p>We need to match on ICMP not IP in this case - otherwise it conflicts with other SG rules</p> <p>2. Why dont we match on both directions of IP? This would be more correct - add NXM_OF_IP_DST[]=NXM_OF_IP_SRC[]</p> <p>Operating System: All<br/> Platform: All</p> NETVIRT-160 Learn SG - correct matches for rules for ICMP and other general changes Bug Resolved Done Unassigned Alon Kochba Wed, 21 Sep 2016 11:30:42 +0000 Thu, 19 Oct 2017 21:27:55 +0000 Tue, 25 Oct 2016 08:45:45 +0000 Carbon General 0 1 <p>(1) is my mistake - irrelevant, it does work ok.</p> <p>(2) should be added AND we are also missing much more important rules, for TCP for example we need to add NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[], otherwise we allow all packets from source port 80 to pass, without validating the connection:</p> <p>table=252, idle_timeout=3600, hard_timeout=3600, priority=61010,tcp,nw_src=8.8.8.8,tp_src=80 actions=fin_timeout(idle_timeout=60,hard_timeout=60),load:0x1-&gt;NXM_NX_REG6<span class="error">&#91;0..7&#93;</span></p> <p>3. Currently these 252 (or 41) rules will allow this for all VMs - we need to support this per-VM that has the security group - ideally the metadata lport should be used, but i'm not sure we can configure that with learn - maybe this logic needs to be in the first ACL table (251 or 40)</p> <p>More on this - it makes no point to set a hard timeout like the idle timeout. We probably don't even want a hard timeout.</p> <p>And idle timeout should be 5 hours for TCP.<br/> 60 second for other protocols</p> <p>If possible, I would also remove the drop rules from tables 41 and 252 - because of the double resubmit they don't really drop anything, so they just confuse debugging in this case</p> <p>fixed in <a href="https://git.opendaylight.org/gerrit/#/c/46884/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/46884/</a></p> Development External issue ID 6769 External issue URL Rank 0|i01q33: