Juniper Openstack

Source and dest ports in acl are set to 0 causing snat packets to get dropped

Bug #1403590 reported by Vedamurthy Joshi on 2014-12-17

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Fix Committed	High	Sachin Bansal
	R2.0	Won't Fix	High	Sachin Bansal

Bug Description

2.0 Build 18 multi-node icehouse Ubuntu 14.04 setup

In a typical snat setup with 2 compute nodes, it was seen snatted packets were getting dropped

Per Naveen, the issue was due to both source and dest ports set to 0 causing flow action drops

We tried his change in schema code and snat worked fine then.

diff --git a/src/config/schema-transformer/to_bgp.py b/src/config/schema-transformer/to_bgp.py
index 04af4f5..94eca8c 100644
--- a/src/config/schema-transformer/to_bgp.py
+++ b/src/config/schema-transformer/to_bgp.py
@@ -2132,7 +2132,7 @@ class VirtualMachineInterfaceST(DictST):

address = AddressType(subnet=SubnetType(
ip_obj.get_instance_ip_address(), 32))
- mc = MatchConditionType(src_address=address)
+ mc = MatchConditionType(src_address=address, src_port=PortType(-1, -1), dst_port=PortType(-1, -1), protocol="any")

--------------

From: Naveen N <email address hidden>
Date: Monday, December 8, 2014 at 9:01 PM
To: Sachin Bansal <email address hidden>
Cc: Vedamurthy Joshi <email address hidden>, Sandip Dey <email address hidden>, Divakar Dharanalakota <email address hidden>
Subject: Re: [Bug 1392260] [NEW] Ubuntu mainline 2453: Kernel route lookup failing for SNAT

Hi Sachin,
  Port range comes as 0 to 0, for both source and destination port,
Can you please take care of it.
<vrf-assign-rule>
   <match-condition>
    <protocol></protocol>
    <src-address>
     <subnet>
      <ip-prefix>192.168.0.2</ip-prefix>
      <ip-prefix-len>32</ip-prefix-len>
     </subnet>
     <virtual-network></virtual-network>
     <security-group></security-group>
     <network-policy></network-policy>
    </src-address>
    <src-port>
     <start-port>0</start-port>
     <end-port>0</end-port>
    </src-port>
    <dst-address>
     <subnet>
      <ip-prefix></ip-prefix>
      <ip-prefix-len>0</ip-prefix-len>
     </subnet>
     <virtual-network></virtual-network>
     <security-group></security-group>
     <network-policy></network-policy>
    </dst-address>

Regards
Naveen N

Tags:

Vedamurthy Joshi (vedujoshi) on 2014-12-17

Changed in juniperopenstack:
importance:	Undecided → High

Revision history for this message

Ashish Ranjan (aranjan-n) wrote on 2014-12-19:

Fix is in zuul

Nagabhushana R (bhushana) on 2015-02-02

Changed in juniperopenstack:
assignee:	nobody → Sachin Bansal (sbansal)

Sachin Bansal (sbansal) on 2016-04-21

Changed in juniperopenstack:
status:	New → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.