Security group block flows when chassis snat is enabled
Bug #1792307 reported by
wang jian
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| DragonFlow |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
I enabled chassis snat, and found TCP flow is blocked by security group.
The reason is that the ingress flow of the chassis snat did not pass through the security group flows, with the result that the security group did not update the CT state of the flow.
In addition, the chassis snat use zone 65534 in CT, but SG use other zones, so the ingress flow should also be sent to SG flows to update the CT state
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to dragonflow (master) | #1 |
| Changed in dragonflow: | |
| status: | New → Fix Released |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 74a54b44468cb16
Author: wangjian <email address hidden>
Date: Thu Sep 13 09:46:30 2018 +0800
security group denies TCP flows when chassis-snat is enabled
The ingress packet should pass through security group flows to let
CT to update the state of the flow. Otherwise, the subsequent flows
would be blocked by the security group because of a invalid state of
the flow
Change-Id: I94cb3ec06d1b13
Closes-Bug: 1792307