Juniper Openstack

[R5.0-36]- route is not leaked with policy inheritance

Bug #1767052 reported by alok kumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Invalid
Undecided
Nagendra Prasath
R4.1
Invalid
Undecided
Nagendra Prasath
R5.0
Fix Committed
Critical
Sachin Bansal
Juniper Openstack r5.0.1
Trunk
Fix Committed
Critical
Sachin Bansal
Juniper Openstack r5.1.0

Bug Description

sanity report: http://10.204.216.50/Docs/logs/5.0-36_2018_04_26_02_37_01_1524700152.34/junit-noframes.html

test case:TestPolicyAclIpv4v6.test_policy_inheritance_src_pol_dst_any

when policy rule has policy in the rule then route leaking is not happening.

In current case, 3 policies were created and attached to VNs were as below:

1. Display Name
    policy12
    UUID
    4c2235eb-b04e-41bf-bba1-2d27a8f20490
    Connected networks
    VN1
    Rules
    pass protocol icmp policy policy13 ports any <> network any ports any
    pass protocol 58 policy policy13 ports any <> network any ports any

2. Display Name
policy13
UUID
686ecb48-8413-4ae3-88d8-36ef76cce1be
Connected networks
VN1
Rules
deny protocol any network VN1 ports any <> network VN3 ports any

3. Display Name
policy21
UUID
d162b3df-496d-4f16-99ac-baa74e112a77
Connected networks
VN2
Rules
pass protocol icmp network VN2 ports any <> network VN1 ports any
pass protocol 58 network VN2 ports any <> network VN1 ports any

with this route was not leaked, in control node below was the rt import/exports:

VN1:
  import_target
  target:64512:8000005
  target:10.10.10.7:8

  export_target
  target:64512:8000005

VN2:
  import_target
  target:64512:8000006
  target:10.10.10.7:9

  export_target
  target:64512:8000006

Revision history for this message
Senthilnathan Murugappan (msenthil) wrote :

Offending commit is https://github.com/Juniper/contrail-controller/commit/7ea9203afdc60d72a1aa56483e3a0fb5b8d22465

Do revert the same in the schema-transformer container and restart the same

Jeba Paulaiyan (jebap)
tags: added: releasenote
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/42568
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/42570
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/42587
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/42570
Committed: http://github.com/Juniper/contrail-controller/commit/c1d3ed02f8990b34815724c49e259a5432675fea
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit c1d3ed02f8990b34815724c49e259a5432675fea
Author: Sachin Bansal <email address hidden>
Date: Thu Apr 26 22:16:08 2018 -0700

Evaluate ACL rules in both directions

Since ACL rules are now bidirectional, we should evaluate them
in both directions for possible RI connections.

Change-Id: Ibb8ba78d74e825744bc45ae3a8151c61ca8ccd20
Closes-Bug: 1767052

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/42587
Committed: http://github.com/Juniper/contrail-controller/commit/d9ea000db279a700e4721371e0c552bfdb03d1ff
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit d9ea000db279a700e4721371e0c552bfdb03d1ff
Author: Sachin Bansal <email address hidden>
Date: Thu Apr 26 22:16:08 2018 -0700

Evaluate ACL rules in both directions

Since ACL rules are now bidirectional, we should evaluate them
in both directions for possible RI connections.

Change-Id: Ibb8ba78d74e825744bc45ae3a8151c61ca8ccd20
Closes-Bug: 1767052

Revision history for this message
Shivayogi Ugaji (shivayogi123) wrote :

Needs to be ported to 3.2 and 4.1.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.