Security group block flows when chassis snat is enabled
Bug #1792307 reported by
wang jian
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
DragonFlow |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I enabled chassis snat, and found TCP flow is blocked by security group.
The reason is that the ingress flow of the chassis snat did not pass through the security group flows, with the result that the security group did not update the CT state of the flow.
In addition, the chassis snat use zone 65534 in CT, but SG use other zones, so the ingress flow should also be sent to SG flows to update the CT state
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/602215 /git.openstack. org/cgit/ openstack/ dragonflow/ commit/ ?id=74a54b44468 cb16500e5564836 18bdb626ee00a7
Committed: https:/
Submitter: Zuul
Branch: master
commit 74a54b44468cb16 500e556483618bd b626ee00a7
Author: wangjian <email address hidden>
Date: Thu Sep 13 09:46:30 2018 +0800
security group denies TCP flows when chassis-snat is enabled
The ingress packet should pass through security group flows to let
CT to update the state of the flow. Otherwise, the subsequent flows
would be blocked by the security group because of a invalid state of
the flow
Change-Id: I94cb3ec06d1b13 35586c353a35020 c9655d520af
Closes-Bug: 1792307