https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETVIRT-248 netvirt <p>Description:<br/> *************<br/> Lunch 2 vms in same network and different Hosts:<br/> vm_x(Sg1=egress for Tcp 80+ALL tcp),vm_y(Sg2=All protocol - ingress&amp;Egress).</p> <p>Action<br/> *******<br/> Try to open ssh from vm_x-&gt;vm_y - succeed <br/> Try to open ssh from vm_y-&gt;vm_x - succeed (should fail!!!)</p> <p>Defect<br/> ******<br/> As it can be seen in All Tcp rule in table 42,no src and dst port.<br/> This cause to condition that packets from external vm can send packets on learn rule.</p> <p>Note!!<br/> *******<br/> Need to check for both All Tcp and All Icmp</p> <p>root@devstack-man21-zan:~# ovs-ofctl dump-flows -OOpenFlow13 br-int | grep table=42<br/> cookie=0x6900000, duration=1056.458s, table=42, n_packets=0, n_bytes=0, priority=61010,reg5=0x1 actions=resubmit(,17)<br/> cookie=0x6900000, duration=446.635s, table=42, n_packets=0, n_bytes=0, priority=61010,tcp,metadata=0x40000000000/0x1fffff0000000000,tp_dst=80 actions=learn(table=252,idle_timeout=18000,fin_idle_timeout=300,priority=61010,cookie=0x6900000,eth_type=0x800,nw_proto=6,NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1-&gt;NXM_NX_REG5<span class="error">&#91;0..7&#93;</span>),resubmit(,17)<br/> cookie=0x6900000, duration=446.635s, table=42, n_packets=15, n_bytes=2506, priority=61010,tcp,metadata=0x40000000000/0x1fffff0000000000 actions=learn(table=252,idle_timeout=300,priority=61010,cookie=0x6900000,eth_type=0x800,NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],NXM_OF_IP_PROTO[],load:0x1-&gt;NXM_NX_REG5<span class="error">&#91;0..7&#93;</span>),resubmit(,17)<br/> cookie=0x6900000, duration=1056.615s, table=42, n_packets=15, n_bytes=1418, priority=0 actions=drop</p> <p>Operating System: All<br/> Platform: All</p> NETVIRT-248

Sg - Missing src and dst port in learn rule for All Tcp and All Udp

Bug Resolved Done Alon Kochba zan cohen Mon, 7 Nov 2016 15:18:47 +0000 Tue, 15 Nov 2016 14:39:30 +0000 Tue, 15 Nov 2016 14:39:30 +0000 Boron General 0 1 <p>Attachment port missing in rule.docx has been added with description: Missing information in All tcp rule</p> <p>Attachment screen-karaf.zip has been added with description: Karaf logs</p> <p>Nice find.<br/> First major bug (regression) - in LearnIngressAcl/LearnEgressAcl, we check ifTcp or ifUdp according to existence of src/dst port match. This is wrong, we should check if ip_proto = TCP or UDP, since for all ports we dont set a src/dst at all</p> <p>This raises another issue, though we might have to live with it as a known issue - if you were to configure an egress ALLOW ALL IP rule, the same would happen, and the above proposal would not fix it.<br/> Of course this only happens if you already SSHed in from vm_x-&gt;vm_y, and until the idle timeout expires.</p> <p><a href="https://git.opendaylight.org/gerrit/#/c/48135/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/48135/</a></p> Development External issue ID 7105 External issue URL Rank 0|i01qmn: