Multiple security group rules with OVS conjunctive match doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
New
|
Undecided
|
Unassigned |
Bug Description
While creating two or more security group rules that points to the same port group the mechanism of updating OVS conjunctive match doesn't work. It deletes flows from previous rules while updating other.
Reproducer:
## neutron security-
stack@secgroup-
cookie=0x0, duration=146.368s, table=44, n_packets=0, n_bytes=0, idle_age=146, priority=
cookie=0x0, duration=146.368s, table=44, n_packets=0, n_bytes=0, idle_age=146, priority=
cookie=0x0, duration=146.368s, table=44, n_packets=0, n_bytes=0, idle_age=146, priority=
cookie=0x0, duration=
cookie=0x0, duration=
cookie=0x0, duration=146.368s, table=44, n_packets=0, n_bytes=0, idle_age=146, priority=
cookie=0x0, duration=146.368s, table=44, n_packets=0, n_bytes=0, idle_age=146, priority=
after second rule added:
## neutron security-
stack@secgroup-
cookie=0x0, duration=2.848s, table=44, n_packets=0, n_bytes=0, idle_age=2, priority=
cookie=0x0, duration=2.848s, table=44, n_packets=0, n_bytes=0, idle_age=2, priority=
cookie=0x0, duration=
cookie=0x0, duration=
cookie=0x0, duration=161.635s, table=44, n_packets=0, n_bytes=0, idle_age=161, hard_age=2, priority=
cookie=0x0, duration=161.635s, table=44, n_packets=0, n_bytes=0, idle_age=161, hard_age=2, priority=
# ^ missing flows for (33,1 and (33,2
stack@secgroup-
cookie=0x0, duration=161.635s, table=44, n_packets=0, n_bytes=0, idle_age=161, priority=
cookie=0x0, duration=161.635s, table=44, n_packets=0, n_bytes=0, idle_age=161, priority=
cookie=0x0, duration=161.635s, table=44, n_packets=0, n_bytes=0, idle_age=161, priority=
The issue is already addressed in OVN: https:/ /patchwork. ozlabs. org/patch/ 1162315/
I'm going to propose a neutron-tempest-lib test that will cover this use-case.