ICMP packet to FIP is blocked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
DragonFlow |
Invalid
|
Critical
|
Unassigned |
Bug Description
Hello
By default, when adding a new VM, default SG is applied to this new VM.
If found the following problem.
When sending ping to FIP, the default rules added to table 77 block the icmp request.
These are the default rules created when adding new VM:
table=77, n_packets=2, n_bytes=247, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=1400, n_bytes=137200, priority=1 actions=drop
As you can see priority=
There should be no ip address here.
When creating new SG ad adding inside it a rule to allow ICMP-ANY the following rules acre created:
table=77, n_packets=130, n_bytes=12791, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=2, n_bytes=196, priority=
table=77, n_packets=0, n_bytes=0, priority=4,icmp actions=
table=77, n_packets=0, n_bytes=0, priority=
table=77, n_packets=1888, n_bytes=185024, priority=1 actions=drop
Now everything works.
Changed in dragonflow: | |
importance: | Undecided → Critical |
When tracing this bug I found the following.
Sometime in database in secgroup table in rule record, the remote_group_id has the same value as a secgroup id
For example:
------- ------- ------- ------- ------- ------- ------- ------- ---- ------- ------- ------- ------- ------- ------- ------- ---- e2ca-4107- a008-16a3f57e30 9e , Value = {"topic": "fbb21227763343 3d980dc71fa0bb6 321", 3d980dc71fa0bb6 321", 1211-4d7a- bdad-c2cd74d931 50", e2ca-4107- a008-16a3f57e30 9e", "remote_ip_prefix": null, "security_ group_id" : "a79c9d00- e2ca-4107- a008-16a3f57e30 9e", "port_range_min": null,
Table = secgroup
-------
Key = a79c9d00-
"rules": [
{"direction": "ingress", "protocol": null, "description": "",
"port_range_max": null, "topic": "fbb21227763343
"id": "6835b015-
"remote_group_id": "a79c9d00-
"ethertype": "IPv4"},
the Key = rules[0] ['remote_ group_id' ]