Juniper Openstack

ContrailSecurity: Addressgroup match should do OR of both subnet and label rather than AND

Bug #1733684 reported by Senthilnathan Murugappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
Fix Committed
Medium
Naveen N
Juniper Openstack r4.1.1.0
Trunk
Fix Committed
Medium
Naveen N
Juniper Openstack r5.0.0

Bug Description

I think it should be treated as OR. The way to think about it is that, there are two ways to add members to an address group. Static - by adding prefixes directly and Dynamic - by adding a label.

Sachin

On Nov 19, 2017, at 9:24 PM, Naveen N <email address hidden> wrote:

Yes we do a AND.

Regards
Naveen N

From: Senthilnathan Murugappan
Sent: Monday, November 20, 2017 10:04:26 AM
To: Naveen N; Sachin Bansal; Prasad Miriyala
Subject: Address Group with both label and Subnets

Hi Naveen, Sachin, Prasad,

Observed that an Address Group with both label and subnets specified act as AND of both the values.
Can you clarify what is the expected behavior?

Thanks,
Senthil

Senthilnathan Murugappan (msenthil)
tags: added: releasenote
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/38132
Submitter: Naveen N (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/38133
Submitter: Naveen N (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/38132
Committed: http://github.com/Juniper/contrail-controller/commit/dab4dc36d42ef223f7fe79d70f034742b7be803c
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit dab4dc36d42ef223f7fe79d70f034742b7be803c
Author: Naveen N <email address hidden>
Date: Tue Dec 5 13:36:13 2017 +0530

* Match label 'or' subnet in address-group.

Current Agent matches label and subnet group in case of address-group,
expectation is packet should either match subnet or label, correcting
the same. Test case for same.

Change-Id: I12946f156f5e3c131f67ef61339900b7f5498616
Closes-bug: #1733684

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/38133
Committed: http://github.com/Juniper/contrail-controller/commit/5942fa26f5c60fcacf8330e2e6e3c03d47d77ad2
Submitter: Zuul (<email address hidden>)
Branch: master

commit 5942fa26f5c60fcacf8330e2e6e3c03d47d77ad2
Author: Naveen N <email address hidden>
Date: Tue Dec 5 13:36:13 2017 +0530

* Match label 'or' subnet in address-group.

Current Agent matches label and subnet group in case of address-group,
expectation is packet should either match subnet or label, correcting
the same. Test case for same.

Change-Id: I12946f156f5e3c131f67ef61339900b7f5498616
Closes-bug: #1733684

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.