[R5.0-36]- route is not leaked with policy inheritance

Bug #1767052 reported by alok kumar on 2018-04-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Invalid
Undecided
Nagendra Prasath
R4.1
Invalid
Undecided
Nagendra Prasath
R5.0
Fix Committed
Critical
Sachin Bansal
Trunk
Fix Committed
Critical
Sachin Bansal

Bug Description

sanity report: http://10.204.216.50/Docs/logs/5.0-36_2018_04_26_02_37_01_1524700152.34/junit-noframes.html

test case:TestPolicyAclIpv4v6.test_policy_inheritance_src_pol_dst_any

when policy rule has policy in the rule then route leaking is not happening.

In current case, 3 policies were created and attached to VNs were as below:

1. Display Name
    policy12
    UUID
    4c2235eb-b04e-41bf-bba1-2d27a8f20490
    Connected networks
    VN1
    Rules
    pass protocol icmp policy policy13 ports any <> network any ports any
    pass protocol 58 policy policy13 ports any <> network any ports any

2. Display Name
policy13
UUID
686ecb48-8413-4ae3-88d8-36ef76cce1be
Connected networks
VN1
Rules
deny protocol any network VN1 ports any <> network VN3 ports any

3. Display Name
policy21
UUID
d162b3df-496d-4f16-99ac-baa74e112a77
Connected networks
VN2
Rules
pass protocol icmp network VN2 ports any <> network VN1 ports any
pass protocol 58 network VN2 ports any <> network VN1 ports any

with this route was not leaked, in control node below was the rt import/exports:

VN1:
  import_target
  target:64512:8000005
  target:10.10.10.7:8

  export_target
  target:64512:8000005

VN2:
  import_target
  target:64512:8000006
  target:10.10.10.7:9

  export_target
  target:64512:8000006

Offending commit is https://github.com/Juniper/contrail-controller/commit/7ea9203afdc60d72a1aa56483e3a0fb5b8d22465

Do revert the same in the schema-transformer container and restart the same

Jeba Paulaiyan (jebap) on 2018-04-26
tags: added: releasenote

Review in progress for https://review.opencontrail.org/42568
Submitter: Sachin Bansal (<email address hidden>)

Review in progress for https://review.opencontrail.org/42570
Submitter: Sachin Bansal (<email address hidden>)

Review in progress for https://review.opencontrail.org/42587
Submitter: Sachin Bansal (<email address hidden>)

Reviewed: https://review.opencontrail.org/42570
Committed: http://github.com/Juniper/contrail-controller/commit/c1d3ed02f8990b34815724c49e259a5432675fea
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit c1d3ed02f8990b34815724c49e259a5432675fea
Author: Sachin Bansal <email address hidden>
Date: Thu Apr 26 22:16:08 2018 -0700

Evaluate ACL rules in both directions

Since ACL rules are now bidirectional, we should evaluate them
in both directions for possible RI connections.

Change-Id: Ibb8ba78d74e825744bc45ae3a8151c61ca8ccd20
Closes-Bug: 1767052

Reviewed: https://review.opencontrail.org/42587
Committed: http://github.com/Juniper/contrail-controller/commit/d9ea000db279a700e4721371e0c552bfdb03d1ff
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit d9ea000db279a700e4721371e0c552bfdb03d1ff
Author: Sachin Bansal <email address hidden>
Date: Thu Apr 26 22:16:08 2018 -0700

Evaluate ACL rules in both directions

Since ACL rules are now bidirectional, we should evaluate them
in both directions for possible RI connections.

Change-Id: Ibb8ba78d74e825744bc45ae3a8151c61ca8ccd20
Closes-Bug: 1767052

Shivayogi Ugaji (shivayogi123) wrote :

Needs to be ported to 3.2 and 4.1.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers