networking-hyperv

ICMP rules not getting deleted on the hyperv network adapter extended acl set

Bug #1470443 reported by Krishna Kanth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-hyperv
Fix Released
Medium
Claudiu Belu
neutron
Invalid
Undecided
Unassigned
Juno
Fix Released
Undecided
Krishna Kanth
neutron 2014.2.4

Bug Description

1. Create a security group with icmp rule
2. spawn a vm with the above secuirty-grop-rule
3. ping works from dhcp namespace
4. delete the rule from secuirty-group which will trigger the port-update
5. however the rule is still there on compute for the vm even after port-update

rootcause: icmp rule is created with locacal port as empty('').
however during remove_security_rule the rule is matched for port "ANY" which does not match any rule, hence rule not deleted.
solution: introduce the check to match empty loalport incase of deleting icmp rule.

Krishna Kanth (krishna-kanth-mallela)
Changed in networking-hyperv:
assignee: nobody → Krishna Kanth (krishna-kanth-mallela)
Revision history for this message
Claudiu Belu (cbelu) wrote :

Hi Krishna.

I could not reproduce your scenario. I've created a VM with a security group and added icmp rule, ping was succesful, removed icmp rule, ping failed:

http://paste.openstack.org/show/332551/

Revision history for this message
Claudiu Belu (cbelu) wrote :

Hm, seems that not always launchpad bugs are not always updated by uploading bugfixes to gerrit.

So, I've checked this bug out, removing rules works fine. ICMP rules too, localport being '' is not the issue.

When adding an egress ANY protocol security group rule, it will create also create an egress ICMP rule. Because of a Hyper-V limitation, ICMP rules cannot be stateful, ping reply is not accepted with just egress ICMP rule. Ping reply is needed in order for "ping" as a whole to work, so an ingress ICMP rule is created as well.

I've removed those special cases. From now on, if ping is desired, both ingress and egress should be explicitly added to the neutron security groups. See commit below.

https://review.openstack.org/#/c/197666/

Changed in networking-hyperv:
status: New → In Progress
importance: Undecided → Medium
assignee: Krishna Kanth (krishna-kanth-mallela) → Claudiu Belu (cbelu)
Revision history for this message
Krishna Kanth (krishna-kanth-mallela) wrote :

Hi Belu,

This bug i intend to raise on the JUNO branch.
I see this is not applicable to master branch where you have the above fix mentioned
I have the fix ready for JUNO branch code line and below is the review for the same
https://review.openstack.org/#/c/199932/

Can you kindly review and approve.

Thanks,
Krishna.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (master)

Reviewed: https://review.openstack.org/197666
Committed: https://git.openstack.org/cgit/stackforge/networking-hyperv/commit/?id=702d45105932e6d35584dea31bb0e742321919f2
Submitter: Jenkins
Branch: master

commit 702d45105932e6d35584dea31bb0e742321919f2
Author: Claudiu Belu <email address hidden>
Date: Wed Jul 1 20:04:44 2015 +0300

    Hyper-V: Removes extra cases for ingress ICMP rule

    Previously, if the egress rule with no protocol specified
    was added, the HyperVSecurityGroupsDriver would create an
    inbound ICMP rule, in order for ping reply to be received.

    This is because ICMP rules cannot be added as stateful on
    Hyper-V and ping is expected to work if the rule is egress.
    This would also cause the VM to be ping-able, which isn't
    desirable.

    Removes the special cases where ingress ICMP rules are
    created. If ping is desirable, both ingress and egress
    rules will have to be added.

    Change-Id: If10d1408bf0f3ed487e394edd8e0b0ea52070a48
    Closes-Bug: #1470443

Changed in networking-hyperv:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-hyperv (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/199978

tags: added: in-stable-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (stable/kilo)

Reviewed: https://review.openstack.org/199978
Committed: https://git.openstack.org/cgit/stackforge/networking-hyperv/commit/?id=0bca49c1130baaa4a3dc23877dfc2dda33bce5de
Submitter: Jenkins
Branch: stable/kilo

commit 0bca49c1130baaa4a3dc23877dfc2dda33bce5de
Author: Claudiu Belu <email address hidden>
Date: Wed Jul 1 20:04:44 2015 +0300

    Hyper-V: Removes extra cases for ingress ICMP rule

    Previously, if the egress rule with no protocol specified
    was added, the HyperVSecurityGroupsDriver would create an
    inbound ICMP rule, in order for ping reply to be received.

    This is because ICMP rules cannot be added as stateful on
    Hyper-V and ping is expected to work if the rule is egress.
    This would also cause the VM to be ping-able, which isn't
    desirable.

    Removes the special cases where ingress ICMP rules are
    created. If ping is desirable, both ingress and egress
    rules will have to be added.

    Change-Id: If10d1408bf0f3ed487e394edd8e0b0ea52070a48
    Closes-Bug: #1470443

Revision history for this message
Krishna Kanth (krishna-kanth-mallela) wrote :

Hi Belu,

Below is the paste link for the problem seen on Juno branch.
http://paste.openstack.org/show/358221/

Also wanted to check if i need to file a different bug for Juno branch as this bug is already commited for kilo.

Regards,
Krishna

Alan Pevec (apevec)
Changed in neutron:
status: New → Invalid
Claudiu Belu (cbelu)
Changed in networking-hyperv:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.