Ubuntu Cloud Archive

Comment 1 for bug 1881157

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2020-06-02:

Hello:

I found an "easy way" to reproduce this issue. We need first to create two SGs:
- The first one without any specific rule (the default ones), "SG1"
- The other one, "SG2", accepting a custom TCP rule (ingress) from "SG1". It is important to use custom TCP rule because the way the conj_id is generated depends on this [1].

Then we need to create two networks (with one subnet per network).

Then we need to create two VMs. VM1 in net1 and SG1, VM2 in net2 and SG2. When we delete both, because of [2], some rules are still in the OVS. This is because in [2], we use the SG ID to retrieve, from "self.conj_id_map" the conj_ids. Then we use those conj_ids to clean "self.conj_id_map".

The problem we have here: in "self.conj_id_map" we store the conj_id generated in "_conj_id_factory". This conj_id is a number divisible by 8. But in "self.conj_id_map" we store the conj_id plus the priority given [3].

Than means the "sg_removed" method [2] does not clean correctly the flows for some specific ports (and the assigned IPs). If create again VMs with ports using those IP addresses, even if those VMs/ports are not assigned to SG1, they will still have a rules like:
  cookie=0x2f9dd929399d81fa, duration=3090.772s, table=82, n_packets=0, n_bytes=0, idle_age=3090,
    priority=71,ct_state=+new-est,ip,reg6=0x3,nw_src=10.2.0.29 actions=conjunction(27,1/2)
  cookie=0x2f9dd929399d81fa, duration=2916.283s, table=82, n_packets=0, n_bytes=0, idle_age=2923,
    priority=71,ct_state=+new-est,icmp,reg5=0x16 actions=conjunction(27,2/2)

That could be use by the VM with IP address 10.2.0.29 to connect to the (IP addresses/port) represented by conj_id 27.

Regards.

[1]https://github.com/openstack/neutron/blob/31280695a26cdcf211cb964ac5f401296398a19f/neutron/agent/linux/openvswitch_firewall/rules.py#L158-L174
[2]https://github.com/openstack/neutron/blob/31280695a26cdcf211cb964ac5f401296398a19f/neutron/agent/linux/openvswitch_firewall/firewall.py#L399-L422
[3]https://github.com/openstack/neutron/blob/31280695a26cdcf211cb964ac5f401296398a19f/neutron/agent/linux/openvswitch_firewall/firewall.py#L390

Hello:

Then we need to create two networks (with one subnet per network).

Than means the "sg_removed" method [2] does not clean correctly the flows for some specific ports (and the assigned IPs). If create again VMs with ports using those IP addresses, even if those VMs/ports are not assigned to SG1, they will still have a rules like:
  cookie=0x2f9dd929399d81fa, duration=3090.772s, table=82, n_packets=0, n_bytes=0, idle_age=3090, 
    priority=71,ct_state=+new-est,ip,reg6=0x3,nw_src=10.2.0.29 actions=conjunction(27,1/2)
  cookie=0x2f9dd929399d81fa, duration=2916.283s, table=82, n_packets=0, n_bytes=0, idle_age=2923, 
    priority=71,ct_state=+new-est,icmp,reg5=0x16 actions=conjunction(27,2/2)

That could be use by the VM with IP address 10.2.0.29 to connect to the (IP addresses/port) represented by conj_id 27.

Regards.