Reviewed: https://review.opendev.org/c/openstack/neutron/+/816600 Committed: https://opendev.org/openstack/neutron/commit/278af8512374dcc75bb4884bd364ac20f2bb9e69 Submitter: "Zuul (22348)" Branch: master
commit 278af8512374dcc75bb4884bd364ac20f2bb9e69 Author: Ihar Hrachyshka <[email protected]> Date: Tue Nov 2 21:43:28 2021 +0000 ovn: update ACL actions on stateful field change When SG 'stateful' field changes its value, all 'allow-related' / 'allow-stateless' ACLs that belong to the group should flip their action value in OVN nbdb accordingly. Closes-Bug: #1952653 Reported-At: https://bugzilla.redhat.com/show_bug.cgi?id=2017048 Change-Id: Ic4621dfaedb83287845e3336ba846b054230f087 ** Changed in: neutron Status: In Progress => Fix Released ** Bug watch added: Red Hat Bugzilla #2017048 https://bugzilla.redhat.com/show_bug.cgi?id=2017048 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1952653 Title: OVN: stateless field update not reflected in OVN flows Status in neutron: Fix Released Bug description: Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=2017048 When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated. The new ACL rules are created according to the SG mode though. Steps to Reproduce: 1. The pre created SG is stateful $ openstack security group show default -c stateful -f value True In a controller, we can list the ACLs as "allow-related" [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp" meter : [] name : [] priority : 1002 severity : [] 2. Switch to stateless SG: $ openstack security group set --stateless default Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related). 3. We create a new rule: openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0 Actual results: The rules are a mix of allow-related and allow-stateless: [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : fb970be6-493c-424a-b133-66dcbe3aedee action : allow-stateless direction : to-lport external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" meter : [] name : [] priority : 1002 severity : [] _uuid : 18cc8207-6489-49d9-bb57-31ed04b04726 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp" meter : [] name : [] priority : 1002 severity : [] Expected results: All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1952653/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
