Juniper Openstack

Flows should be created unless 'disable policy' flag is explicitly checked

Bug #1636574 reported by amit surana
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Medium
jayaramsatya
Juniper Openstack r3.0.4.0
R3.1
Fix Committed
Medium
jayaramsatya
Juniper Openstack r3.1.3.0
R3.2
Fix Committed
Medium
jayaramsatya
Juniper Openstack r3.2.4.0
R3.2.3.x
Fix Committed
Medium
jayaramsatya
Juniper Openstack r3.2.3.2
R4.0
Fix Committed
Medium
jayaramsatya
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Medium
jayaramsatya
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

If a VMI is created without SG/network-policy refs, then policy is implicitly disabled on that VMI. It is then seen that for sessions originated from that VMI, no flows are created in vRouter. This will break several use cases that rely on the creation/presence of a flow.

Also, if the 'policy disable' flag is explicitly checked on the VMI, then services like BGPaaS/link local service etc that require flows to function, will break.

The expectation is that only if the 'policy disable' flag is checked on the VMI should flow creation be disabled. Furthermore, if proxy services are enabled on the VMI (like BGPaaS, Link Local Service, etc which require flow creation to function), then even if 'policy disable' flag is checked, flows must be created.

See original description
Tags: vrouter dt
amit surana (asurana-t)
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/25593
Submitter: jayaramsatya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/25704
Submitter: jayaramsatya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25704
Committed: http://github.org/Juniper/contrail-controller/commit/97f465d344fab17be0d6fb297e38f00d1f14ebf9
Submitter: Zuul
Branch: R3.2

commit 97f465d344fab17be0d6fb297e38f00d1f14ebf9
Author: jayaramsatya <email address hidden>
Date: Wed Nov 2 12:05:06 2016 +0530

Currently Policy is enabled based on references to SG/network-policy
refs. now it is changed to Policy will be enabled by default.
In case of 'policy disable' flag is explicitly checked on the
VMI, then services like BGPaaS/link local service etc that require flows
to function. for this flow creation explicitly policy is enabled for nh
of Default Gateway ip, dns server ip & link local service ip's.

Change-Id: I870d194d19392c51bb33e0e48f9b4cbfc99ac4b1
closes-bug: #1636574
(cherry picked from commit f36cdbf745eaa736fe94f206808aebcd64595b79)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/25764
Submitter: jayaramsatya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25764
Committed: http://github.org/Juniper/contrail-controller/commit/ac81f55937a78226ceada28bde3458608d925ca6
Submitter: Zuul
Branch: R3.1

commit ac81f55937a78226ceada28bde3458608d925ca6
Author: jayaramsatya <email address hidden>
Date: Wed Nov 2 12:05:06 2016 +0530

Currently Policy is enabled based on references to SG/network-policy
refs. now it is changed to Policy will be enabled by default.
In case of 'policy disable' flag is explicitly checked on the
VMI, then services like BGPaaS/link local service etc that require flows
to function. for this flow creation explicitly policy is enabled for nh
of Default Gateway ip, dns server ip & link local service ip's.

Change-Id: I870d194d19392c51bb33e0e48f9b4cbfc99ac4b1
closes-bug: #1636574
(cherry picked from commit f36cdbf745eaa736fe94f206808aebcd64595b79)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/26265
Submitter: jayaramsatya (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/26265
Committed: http://github.org/Juniper/contrail-controller/commit/e50cddd21606d6a86abacaf345c1d644af46ec64
Submitter: Zuul
Branch: R3.0

commit e50cddd21606d6a86abacaf345c1d644af46ec64
Author: jayaramsatya <email address hidden>
Date: Fri Nov 18 19:30:09 2016 +0530

Currently Policy is enabled based on references to SG/network-policy
refs. now it is changed to Policy will be enabled by default.
In case of 'policy disable' flag is explicitly checked on the
VMI, then services like BGPaaS/link local service etc that require flows
to function. for this flow creation explicitly policy is enabled for nh
of Default Gateway ip, dns server ip & link local service ip's.
closes-bug: #1636574
(cherry picked from commit f36cdbf745eaa736fe94f206808aebcd64595b79)

Change-Id: I668ec8c9f8191cd2bd20124aa3b6dfa3876d4346

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/33068
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/33069
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/33070
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2.3.x

Review in progress for https://review.opencontrail.org/33071
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33072
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/33073
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33068
Committed: http://github.com/Juniper/contrail-controller/commit/65ed368aea4fd7cbfbb6d756d44aa84eb10ed5ca
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 65ed368aea4fd7cbfbb6d756d44aa84eb10ed5ca
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33071
Committed: http://github.com/Juniper/contrail-controller/commit/4e876d711a3128670db09ab40dbf8deae3a81888
Submitter: Zuul (<email address hidden>)
Branch: R3.2.3.x

commit 4e876d711a3128670db09ab40dbf8deae3a81888
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33072
Committed: http://github.com/Juniper/contrail-controller/commit/3cc1d1b6d3286e602c3a79985000f9eda59df37d
Submitter: Zuul (<email address hidden>)
Branch: master

commit 3cc1d1b6d3286e602c3a79985000f9eda59df37d
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Conflicts:
 src/vnsw/agent/vrouter/ksync/nexthop_ksync.cc

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33073
Committed: http://github.com/Juniper/contrail-controller/commit/e265234a9fc742ff9cc70e82c74136cf276ec8f8
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit e265234a9fc742ff9cc70e82c74136cf276ec8f8
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Conflicts:
 src/vnsw/agent/vrouter/ksync/nexthop_ksync.cc

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33069
Committed: http://github.com/Juniper/contrail-controller/commit/df02316b355b4666e4018254ba44bee754b72dd2
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit df02316b355b4666e4018254ba44bee754b72dd2
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33070
Committed: http://github.com/Juniper/contrail-controller/commit/a3646d2caa70f72609bdf183137a80c0bce7844c
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit a3646d2caa70f72609bdf183137a80c0bce7844c
Author: Hari Prasad Killi <email address hidden>
Date: Wed Jun 21 18:00:30 2017 +0530

Enable flow setup when BGPaaS is configured on VMI with policy disabled

Agent oper tables point the GW and DNS routes to pkt0 using NH with policy
enabled. However, this is not being updated in vrouter due to an additional
check in ksync. Removing the same so that traffic sent to pkt0 will always
have flows setup.

Change-Id: Icf3fb0be8bda3f8d482db3ecc7356a20d43a18cd
closes-bug: #1636574

Przemyslaw Grygiel (pgrygiel)
tags: added: dt
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.