Juniper Openstack

Firewall: traffic filter between two AGs as EP fails

Bug #1770518 reported by Senthilnathan Murugappan on 2018-05-10

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R5.0	New	High	haji mohamed ashraf ali	Juniper Openstack r5.0.2
Trunk	In Progress	High	haji mohamed ashraf ali	Juniper Openstack r5.1.0

Bug Description

Have two AGs with one having two CIDRs (Net1/24 and IP-of-VM1-in-Net2/32) and the other AG having two labels associated Label1 and Label2 respectively which were attached to VM2 and VM3 in Net2 and its a allow all protocol/port rule and expect the traffic to flow between VM1 and VM2 in Net2 and observed that the traffic is being dropped (implicit deny).

Please find the respective outputs.

flow output:

120028<=>72440 87.122.40.3:3159 1 (2)
87.122.40.4:0
(Gen: 1, K(nh):30, Action:D(FwPolicy), Flags:, QOS:-1, S(nh):30, Stats:5/490,
SPort 54233, TTL 0, Sinfo 3.0.0.0)

ACL Info:
root@a2s36:~# curl 'http://10.87.74.130:8085/Snh_AclReq?x=bff10320-a3dc-4648-aea4-ce8f11a9607e' | xmllint --format -
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/universal_parse.xsl"?>
<__AclResp_list type="slist">
  <AclResp type="sandesh">
    <acl_list type="list" identifier="1">
      <list type="struct" size="1">
        <AclSandeshData>
          <uuid type="string" identifier="1" link="AclFlowReq">bff10320-a3dc-4648-aea4-ce8f11a9607e</uuid>
          <dynamic_acl type="bool" identifier="2">false</dynamic_acl>
          <entries type="list" identifier="3">
            <list type="struct" size="2">
              <AclEntrySandeshData>
                <ace_id type="string" identifier="1">10</ace_id>
                <rule_type type="string" identifier="2">Terminal</rule_type>
                <src type="string" identifier="3">135.147.158.0 255.255.255.0, 87.122.40.4 255.255.255.255Empty</src>
                <dst type="string" identifier="4">16, 15</dst>
                <src_port_l type="list" identifier="5">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">65535</max>
                    </SandeshRange>
                  </list>
                </src_port_l>
                <dst_port_l type="list" identifier="6">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">65535</max>
                    </SandeshRange>
                  </list>
                </dst_port_l>
                <proto_l type="list" identifier="7">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">255</max>
                    </SandeshRange>
                  </list>
                </proto_l>
                <action_l type="list" identifier="8">
                  <list type="struct" size="1">
                    <ActionStr>
                      <action type="string" identifier="1">pass</action>
                    </ActionStr>
                  </list>
                </action_l>
                <src_type type="string" identifier="9">AddressGroup</src_type>
                <dst_type type="string" identifier="10">AddressGroup</dst_type>
                <uuid type="string" identifier="11">78388add-6fa5-4646-9580-8912d2054af7</uuid>
                <match_condition type="string" identifier="12">deployment </match_condition>
              </AclEntrySandeshData>
              <AclEntrySandeshData>
                <ace_id type="string" identifier="1">10</ace_id>
                <rule_type type="string" identifier="2">Terminal</rule_type>
                <src type="string" identifier="3">16, 15</src>
                <dst type="string" identifier="4">135.147.158.0 255.255.255.0, 87.122.40.4 255.255.255.255Empty</dst>
                <src_port_l type="list" identifier="5">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">65535</max>
                    </SandeshRange>
                  </list>
                </src_port_l>
                <dst_port_l type="list" identifier="6">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">65535</max>
                    </SandeshRange>
                  </list>
                </dst_port_l>
                <proto_l type="list" identifier="7">
                  <list type="struct" size="1">
                    <SandeshRange>
                      <min type="i32" identifier="1">0</min>
                      <max type="i32" identifier="2">255</max>
                    </SandeshRange>
                  </list>
                </proto_l>
                <action_l type="list" identifier="8">
                  <list type="struct" size="1">
                    <ActionStr>
                      <action type="string" identifier="1">pass</action>
                    </ActionStr>
                  </list>
                </action_l>
                <src_type type="string" identifier="9">AddressGroup</src_type>
                <dst_type type="string" identifier="10">AddressGroup</dst_type>
                <uuid type="string" identifier="11">78388add-6fa5-4646-9580-8912d2054af7</uuid>
                <match_condition type="string" identifier="12">deployment </match_condition>
              </AclEntrySandeshData>
            </list>
          </entries>
          <name type="string" identifier="4">default-domain:ctest-TestFirewallBasic-21521742:ctest-TestFirewallBasic-21521742-62130777</name>
        </AclSandeshData>
      </list>
    </acl_list>
    <more type="bool" identifier="0">true</more>
  </AclResp>
  <Pagination type="sandesh">
    <req type="struct" identifier="1">
      <PageReqData>
        <prev_page type="string" identifier="1" link="PageReq"/>
        <next_page type="string" identifier="2" link="PageReq"/>
        <first_page type="string" identifier="3" link="PageReq">begin:0,end:99,table:db.acl.0,name:bff10320-a3dc-4648-aea4-ce8f11a9607e</first_page>
        <all type="string" identifier="4" link="PageReq">begin:-1,end:-1,table:db.acl.0,name:bff10320-a3dc-4648-aea4-ce8f11a9607e</all>
        <table_size type="u32" identifier="5">7</table_size>
        <entries type="string" identifier="6">0-0/1</entries>
      </PageReqData>
    </req>
    <more type="bool" identifier="0">false</more>
  </Pagination>
</__AclResp_list>

Tags List:
msenthil-mbp:~ msenthil$ curl -s 'http://10.87.74.130:8085/Snh_TagSandeshReq?uuid=&name=' | xmllint --format -
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/universal_parse.xsl"?>
<__TagSandeshResp_list type="slist">
  <TagSandeshResp type="sandesh">
    <tag_list type="list" identifier="1">
      <list type="struct" size="12">
        <TagSandeshData>
          <uuid type="string" identifier="1">2298cf02-b82c-4f59-8206-d81206935b5d</uuid>
          <name type="string" identifier="2">tier=web</name>
          <id type="u32" identifier="3">131072</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">45c50f3b-9a6b-4c8e-9768-bf0423135b42</uuid>
          <name type="string" identifier="2">tier=db</name>
          <id type="u32" identifier="3">131101</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">47f0369e-7469-47fe-8510-4e058964ddfe</uuid>
          <name type="string" identifier="2">default-domain:ctest-TestFirewallBasic-21521742:tier=db</name>
          <id type="u32" identifier="3">131102</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">4e923d86-0e55-4adc-9e6b-5cf056844de2</uuid>
          <name type="string" identifier="2">application=eng</name>
          <id type="u32" identifier="3">65554</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="1">
              <ApplicationPolicySetLink>
                <application_policy_set type="string" identifier="1" link="ApplicationPolicySetReq">4e6b31ae-ee49-4931-b59b-69e79740cc7f</application_policy_set>
              </ApplicationPolicySetLink>
            </list>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">53c1eadc-e9ae-41f6-99f0-3879cf0d150d</uuid>
          <name type="string" identifier="2">label=db</name>
          <id type="u32" identifier="3">16</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">77369e09-d758-4fbb-a2ba-d66bee72e5a5</uuid>
          <name type="string" identifier="2">tier=logic</name>
          <id type="u32" identifier="3">131099</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">80b16ca9-3fd4-4fdb-80f5-a6d2a7a8eb34</uuid>
          <name type="string" identifier="2">label=ag</name>
          <id type="u32" identifier="3">14</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">99520b46-bce5-49f8-b213-3c3f6224346e</uuid>
          <name type="string" identifier="2">default-domain:ctest-TestFirewallBasic-21521742:deployment=dev</name>
          <id type="u32" identifier="3">196630</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">9b61e08f-dc70-460e-ad44-1abf044bdf69</uuid>
          <name type="string" identifier="2">default-domain:ctest-TestFirewallBasic-21521742:application=hr</name>
          <id type="u32" identifier="3">65553</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="1">
              <ApplicationPolicySetLink>
                <application_policy_set type="string" identifier="1" link="ApplicationPolicySetReq">c6e563dc-dfb6-4c72-a076-74688817389c</application_policy_set>
              </ApplicationPolicySetLink>
            </list>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">b43572e3-bad9-4bfe-aacf-565ecd0e6fb5</uuid>
          <name type="string" identifier="2">label=web</name>
          <id type="u32" identifier="3">15</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">f7d6924f-e56c-482f-8a38-40f8e7065dd8</uuid>
          <name type="string" identifier="2">default-domain:ctest-TestFirewallBasic-21521742:tier=web</name>
          <id type="u32" identifier="3">131098</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
        <TagSandeshData>
          <uuid type="string" identifier="1">fc7778ec-11ba-4cef-a34e-fbc25054f44a</uuid>
          <name type="string" identifier="2">site=blr</name>
          <id type="u32" identifier="3">262161</id>
          <application_policy_set_list type="list" identifier="4">
            <list type="struct" size="0"/>
          </application_policy_set_list>
        </TagSandeshData>
      </list>
    </tag_list>
    <more type="bool" identifier="0">true</more>
  </TagSandeshResp>
  <Pagination type="sandesh">
    <req type="struct" identifier="1">
      <PageReqData>
        <prev_page type="string" identifier="1" link="PageReq"/>
        <next_page type="string" identifier="2" link="PageReq"/>
        <first_page type="string" identifier="3" link="PageReq">begin:0,end:99,table:db.tag.0,</first_page>
        <all type="string" identifier="4" link="PageReq">begin:-1,end:-1,table:db.tag.0,</all>
        <table_size type="u32" identifier="5">12</table_size>
        <entries type="string" identifier="6">0-11/12</entries>
      </PageReqData>
    </req>
    <more type="bool" identifier="0">false</more>
  </Pagination>
</__TagSandeshResp_list>

Interface Info:
msenthil-mbp:~ msenthil$ curl -s 'http://10.87.74.130:8085/Snh_ItfReq?name=tap062a1e54-9a&type=&uuid=&vn=&mac=&ipv4_address=&ipv6_address=&parent_uuid=&ip_active=&ip6_active=&l2_active=' | xmllint --format -
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/universal_parse.xsl"?>
<__ItfResp_list type="slist">
  <ItfResp type="sandesh">
    <itf_list type="list" identifier="1">
      <list type="struct" size="1">
        <ItfSandeshData>
          <index type="i32" identifier="1">3</index>
          <name type="string" identifier="2">tap062a1e54-9a</name>
          <uuid type="string" identifier="3">062a1e54-9aca-4ff3-acbd-dcc668108e72</uuid>
          <vrf_name type="string" identifier="4" link="VrfListReq">default-domain:ctest-TestFirewallBasic-21521742:ctest-vn-96935054:ctest-vn-96935054</vrf_name>
          <active type="string" identifier="5">Active</active>
          <ipv4_active type="string" identifier="49">Active</ipv4_active>
          <l2_active type="string" identifier="28">L2 Active</l2_active>
          <ip6_active type="string" identifier="35">Ipv6 Inactive < no-ipv6-addr ></ip6_active>
          <health_check_active type="string" identifier="53">Active</health_check_active>
          <dhcp_service type="string" identifier="6">Enable</dhcp_service>
          <dns_service type="string" identifier="7">Enable</dns_service>
          <type type="string" identifier="8">vport</type>
          <label type="i32" identifier="9">25</label>
          <l2_label type="i32" identifier="25">29</l2_label>
          <vxlan_id type="i32" identifier="26">4</vxlan_id>
          <vn_name type="string" identifier="10" link="VnListReq">default-domain:ctest-TestFirewallBasic-21521742:ctest-vn-96935054</vn_name>
          <vm_uuid type="string" identifier="11" link="VmListReq">d270fb1f-8cc0-43d6-84f2-8a3ea1e1f977</vm_uuid>
          <vm_name type="string" identifier="12">ctest-TestFirewallBasic-21521742-44833378</vm_name>
          <ip_addr type="string" identifier="13">87.122.40.3</ip_addr>
          <mac_addr type="string" identifier="14">02:06:2a:1e:54:9a</mac_addr>
          <policy type="string" identifier="15">Enable</policy>
          <fip_list type="list" identifier="16">
            <list type="struct" size="0"/>
          </fip_list>
          <mdata_ip_addr type="string" identifier="17">169.254.0.3</mdata_ip_addr>
          <service_vlan_list type="list" identifier="18">
            <list type="struct" size="0"/>
          </service_vlan_list>
          <os_ifindex type="i32" identifier="19">32</os_ifindex>
          <fabric_port type="string" identifier="20">NotFabricPort</fabric_port>
          <alloc_linklocal_ip type="string" identifier="21">LL-Enable</alloc_linklocal_ip>
          <analyzer_name type="string" identifier="22"/>
          <config_name type="string" identifier="23">default-domain:ctest-TestFirewallBasic-21521742:062a1e54-9aca-4ff3-acbd-dcc668108e72</config_name>
          <sg_uuid_list type="list" identifier="24">
            <list type="struct" size="1">
              <VmIntfSgUuid>
                <sg_uuid type="string" identifier="1" link="SgListReq">ac45f2db-e131-4221-8780-2701b25fe0a7</sg_uuid>
              </VmIntfSgUuid>
            </list>
          </sg_uuid_list>
          <static_route_list type="list" identifier="27">
            <list type="struct" size="0"/>
          </static_route_list>
          <vm_project_uuid type="string" identifier="30">ef0606f8-99ab-45db-8d8c-47e386485f14</vm_project_uuid>
          <admin_state type="string" identifier="31">Enabled</admin_state>
          <flow_key_idx type="i32" identifier="32">30</flow_key_idx>
          <allowed_address_pair_list type="list" identifier="33">
            <list type="struct" size="0"/>
          </allowed_address_pair_list>
          <ip6_addr type="string" identifier="34">::</ip6_addr>
          <local_preference type="i32" identifier="36">0</local_preference>
          <tx_vlan_id type="i16" identifier="37">-1</tx_vlan_id>
          <rx_vlan_id type="i16" identifier="38">-1</rx_vlan_id>
          <parent_interface type="string" identifier="39"/>
          <subnet type="string" identifier="40">--NA--</subnet>
          <sub_type type="string" identifier="41">Tap</sub_type>
          <vrf_assign_acl_uuid type="string" identifier="42" link="AclReq">--NA--</vrf_assign_acl_uuid>
          <vmi_type type="string" identifier="43">Virtual Machine</vmi_type>
          <transport type="string" identifier="44">Ethernet</transport>
          <logical_interface_uuid type="string" identifier="45">00000000-0000-0000-0000-000000000000</logical_interface_uuid>
          <flood_unknown_unicast type="bool" identifier="46">false</flood_unknown_unicast>
          <physical_device type="string" identifier="47"/>
          <physical_interface type="string" identifier="48"/>
          <fixed_ip4_list type="list" identifier="50">
            <list type="string" size="1">
              <element>87.122.40.3</element>
            </list>
          </fixed_ip4_list>
          <fixed_ip6_list type="list" identifier="51">
            <list type="string" size="0"/>
          </fixed_ip6_list>
          <fat_flow_list type="list" identifier="52">
            <list type="string" size="0"/>
          </fat_flow_list>
          <metadata_ip_active type="string" identifier="54">Active</metadata_ip_active>
          <service_health_check_ip type="string" identifier="55">0.0.0.0</service_health_check_ip>
          <alias_ip_list type="list" identifier="57">
            <list type="struct" size="0"/>
          </alias_ip_list>
          <drop_new_flows type="bool" identifier="58">false</drop_new_flows>
          <bridge_domain_list type="list" identifier="59">
            <list type="struct" size="0"/>
          </bridge_domain_list>
          <vmi_tag_list type="list" identifier="60">
            <list type="struct" size="5">
              <VmiTagData>
                <name type="string" identifier="1">label=web</name>
                <id type="i32" identifier="2">15</id>
                <application_policy_set_list type="list" identifier="3">
                  <list type="struct" size="0"/>
                </application_policy_set_list>
              </VmiTagData>
              <VmiTagData>
                <name type="string" identifier="1">default-domain:ctest-TestFirewallBasic-21521742:application=hr</name>
                <id type="i32" identifier="2">65553</id>
                <application_policy_set_list type="list" identifier="3">
                  <list type="struct" size="1">
                    <ApplicationPolicySetLink>
                      <application_policy_set type="string" identifier="1" link="ApplicationPolicySetReq">c6e563dc-dfb6-4c72-a076-74688817389c</application_policy_set>
                    </ApplicationPolicySetLink>
                  </list>
                </application_policy_set_list>
              </VmiTagData>
              <VmiTagData>
                <name type="string" identifier="1">default-domain:ctest-TestFirewallBasic-21521742:tier=web</name>
                <id type="i32" identifier="2">131098</id>
                <application_policy_set_list type="list" identifier="3">
                  <list type="struct" size="0"/>
                </application_policy_set_list>
              </VmiTagData>
              <VmiTagData>
                <name type="string" identifier="1">default-domain:ctest-TestFirewallBasic-21521742:deployment=dev</name>
                <id type="i32" identifier="2">196630</id>
                <application_policy_set_list type="list" identifier="3">
                  <list type="struct" size="0"/>
                </application_policy_set_list>
              </VmiTagData>
              <VmiTagData>
                <name type="string" identifier="1">site=blr</name>
                <id type="i32" identifier="2">262161</id>
                <application_policy_set_list type="list" identifier="3">
                  <list type="struct" size="0"/>
                </application_policy_set_list>
              </VmiTagData>
            </list>
          </vmi_tag_list>
          <policy_set_acl_list type="list" identifier="61">
            <list type="string" size="1">
              <element>bff10320-a3dc-4648-aea4-ce8f11a9607e</element>
            </list>
          </policy_set_acl_list>
          <slo_list type="list" identifier="62">
            <list type="struct" size="0"/>
          </slo_list>
          <vhostuser_mode type="byte" identifier="63">0</vhostuser_mode>
          <si_other_end_vmi type="string" identifier="64">00000000-0000-0000-0000-000000000000</si_other_end_vmi>
          <cfg_igmp_enable type="bool" identifier="65">false</cfg_igmp_enable>
          <igmp_enabled type="bool" identifier="66">false</igmp_enabled>
        </ItfSandeshData>
      </list>
    </itf_list>
    <more type="bool" identifier="0">true</more>
  </ItfResp>
  <Pagination type="sandesh">
    <req type="struct" identifier="1">
      <PageReqData>
        <prev_page type="string" identifier="1" link="PageReq"/>
        <next_page type="string" identifier="2" link="PageReq"/>
        <first_page type="string" identifier="3" link="PageReq">begin:0,end:99,table:db.interface.0,name:tap062a1e54-9a</first_page>
        <all type="string" identifier="4" link="PageReq">begin:-1,end:-1,table:db.interface.0,name:tap062a1e54-9a</all>
        <table_size type="u32" identifier="5">6</table_size>
        <entries type="string" identifier="6">0-0/1</entries>
      </PageReqData>
    </req>
    <more type="bool" identifier="0">false</more>
  </Pagination>
</__ItfResp_list>

Tags:

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-12-17: [Review update] master

Review in progress for https://review.opencontrail.org/48237
Submitter: haji mohamed ashraf ali (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2019-01-10: A change has been merged

#11

Reviewed: https://review.opencontrail.org/48237
Committed: http://github.com/Juniper/contrail-controller/commit/190f56c9f1da15af85bf2aa9323c5b6d371b84c0
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 190f56c9f1da15af85bf2aa9323c5b6d371b84c0
Author: hajim <email address hidden>
Date: Mon Dec 17 11:58:13 2018 +0530

Firewall: traffic filter between two AGs as EP fails
We have made changes for address group labels to do 'OR' operation
instead 'AND' between endpoints
Closes-Bug: #1770518

Change-Id: If8c57657ebd2faf98871c4fc2401a01074d59ef4

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2019-01-24: [Review update] master

#12

Review in progress for https://review.opencontrail.org/48877
Submitter: Arun RS (<email address hidden>)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.