neutron

OVS FW driver ignores all non tcp udp icmp protocol rules

Bug #1625516 reported by Alex Stafeyev on 2016-09-20

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Jakub Libosvar	neutron ocata-3 "o3"

Bug Description

Tested ovs 2.5 OVS FW driver.

Could not run sctp traffic between VMs in the same tenant and network after allowing ip protocol 132 (sctp) ingress and egress traffic in the security group.

With iptables driver worked well.

Tested on rhel7.3

OSP10- Newton

2016-09-20 11:20:38.121 17370 DEBUG neutron.agent.linux.openvswitch_firewall.firewall [req-1e1ee4b4-0722-42fb-b9a6-5499eeac7028 - - - - -] RULGEN: Rules generated for flow {u'ethertype': u'IPv4', u'direction': u'ingress', u'source_ip_prefix': u'0.0.0.0/0', u'protocol': u'132'} are [{'dl_type': 2048, 'reg_port': 7, 'actions': 'strip_vlan,output:7', 'priority': 70, 'table': 82, 'dl_dst': u'fa:16:3e:5b:c9:06'}] add_flows_from_rules /usr/lib/python2.7/site-packages/neutron/agent/linux/openvswitch_firewall/firewall.py:667

Tags:

Jakub Libosvar (libosvar) on 2016-09-20

Changed in neutron:
status:	New → Confirmed
assignee:	nobody → Jakub Libosvar (libosvar)
importance:	Undecided → High
importance:	High → Medium

Assaf Muller (amuller) on 2016-09-22

tags:

added: ovs-fw

Ihar Hrachyshka (ihar-hrachyshka) on 2016-09-26

Changed in neutron:
milestone:	none → ocata-1
tags:	added: newton-rc-potential

Armando Migliaccio (armando-migliaccio) on 2016-10-03

tags:

added: newton-backport-potential
removed: newton-rc-potential

Armando Migliaccio (armando-migliaccio) on 2016-11-16

Changed in neutron:
milestone:	ocata-1 → ocata-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-24: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/402174

Changed in neutron:
status:	Confirmed → In Progress

Armando Migliaccio (armando-migliaccio) on 2017-01-06

Changed in neutron:
milestone:	ocata-2 → ocata-3

OpenStack Infra (hudson-openstack) on 2017-01-17

Changed in neutron:
assignee:	Jakub Libosvar (libosvar) → Miguel Angel Ajo (mangelajo)

OpenStack Infra (hudson-openstack) on 2017-01-20

Changed in neutron:
assignee:	Miguel Angel Ajo (mangelajo) → Jakub Libosvar (libosvar)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-21: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/402174
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d5c07fe512502342cfde7c49e6ed75686608cc65
Submitter: Jenkins
Branch: master

commit d5c07fe512502342cfde7c49e6ed75686608cc65
Author: Jakub Libosvar <email address hidden>
Date: Thu Nov 24 12:32:55 2016 -0500

ovsfw: Support protocol numbers instead of just tcp and udp

    Neutron API accepts also protocol numbers as protocols for security
    groups. This patch makes support for it in OVS firewall driver. iptables
    driver already supports it.

    Fullstack test covering SCTP connection was added and it requires
    ip_conntrack_proto_sctp kernel module in order to make conntrack work
    with SCTP.

Change-Id: I6c5665a994c4a50ddbb95cd1360be0de0a6c7e40
Closes-bug: 1625516

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-23: Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/424065

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-24: Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/424065
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6ddddcbaebd88380ae8f4ae9b19c5571cf8a00b9
Submitter: Jenkins
Branch: stable/newton

commit 6ddddcbaebd88380ae8f4ae9b19c5571cf8a00b9
Author: Jakub Libosvar <email address hidden>
Date: Thu Nov 24 12:32:55 2016 -0500

ovsfw: Support protocol numbers instead of just tcp and udp

    Neutron API accepts also protocol numbers as protocols for security
    groups. This patch makes support for it in OVS firewall driver. iptables
    driver already supports it.

    Fullstack test covering SCTP connection was added and it requires
    ip_conntrack_proto_sctp kernel module in order to make conntrack work
    with SCTP.

    Closes-bug: 1625516
    Conflicts:
     neutron/tests/fullstack/test_securitygroup.py

Change-Id: I6c5665a994c4a50ddbb95cd1360be0de0a6c7e40
(cherry picked from commit d5c07fe512502342cfde7c49e6ed75686608cc65)

tags:

added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix included in openstack/neutron 10.0.0.0b3

This issue was fixed in the openstack/neutron 10.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-31: Fix included in openstack/neutron 9.2.0

This issue was fixed in the openstack/neutron 9.2.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.