ovsfw sometimes rejects legitimate traffic when multiple remote SG rules are in use
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | neutron |
High
|
IWAMOTO Toshihiro | ||
Bug Description
ovsfw uses conjunction to represent SG rules with remote_group_id.
When there are multiple rules which differ only in remote_group_id, the ovsfw code generates flows with the same match fields and different conjuction actions. Such flows don't work well as the openflow spec says so.
An sequence to reproduce the bug:
$ openstack security group create sg1
$ openstack security group create sg2
$ openstack security group rule create --remote-group sg2 --dst-port 22:80 --protocol tcp --ingress sg1
$ openstack security group rule create --remote-group sg1 --dst-port 80 --protocol tcp --ingress sg1
Boot 3 instances: hoge1 (sg1), hoge2 (sg2), hoge12 (sg1 and sg2)
Start "nc -l -p 80" on hoge12.
Try to connect to hoge12:80 from hoge1 and hoge2. Either one should fail.
| Jakub Libosvar (libosvar) wrote : | #2 |
I was debugging today a failure where I saw flows with actions=
| IWAMOTO Toshihiro (iwamoto) wrote : | #3 |
Hi Jakub,
that sounds like a different issue.
This bug report is about multiple flows with the same match fields but with different conjunction actions.
We need something like ConjIpManager that merges those actions=(...,2/2) flows.
Fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| assignee: | nobody → IWAMOTO Toshihiro (iwamoto) |
| status: | New → In Progress |
| Changed in neutron: | |
| importance: | Undecided → High |
Change abandoned by IWAMOTO Toshihiro (<email address hidden>) on branch: master
Review: https:/
Reason: squashed into 492404.
Fix proposed to branch: master
Review: https:/
Related fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| milestone: | none → queens-2 |
Change abandoned by IWAMOTO Toshihiro (<email address hidden>) on branch: master
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 237ec30ca943227
Author: IWAMOTO Toshihiro <email address hidden>
Date: Wed Aug 2 17:12:56 2017 +0900
ovsfw: Merge multiple conjunction flows
The ovsfw code generated multiple flows with the same or overlapping
match fields and different actions=
Merge such flows and generate only one flow with
actions=
are correctly performed.
Change-Id: I0cd325b02f35e1
Partial-bug: #1708092
Fix proposed to branch: stable/pike
Review: https:/
| Jakub Libosvar (libosvar) wrote : | #11 |
Iwamoto, is there anything else we need to work on?
| IWAMOTO Toshihiro (iwamoto) wrote : | #12 |
Yup, please review remaining patches.
https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit 04b155443a324d6
Author: IWAMOTO Toshihiro <email address hidden>
Date: Wed Aug 2 17:12:56 2017 +0900
ovsfw: Merge multiple conjunction flows
The ovsfw code generated multiple flows with the same or overlapping
match fields and different actions=
Merge such flows and generate only one flow with
actions=
are correctly performed.
Change-Id: I0cd325b02f35e1
Partial-bug: #1708092
(cherry picked from commit 237ec30ca943227
| tags: | added: in-stable-pike |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 4ac4c22a646799a
Author: IWAMOTO Toshihiro <email address hidden>
Date: Thu Aug 17 15:13:53 2017 +0900
ovsfw: Use multiple priorities in RULES_*_TABLE
The OpenFlow spec says packets shouldn't match against multiple flows
at the same priority or the result is undefined. In ovsfw, 8 priority
levels are needed to comply with this rule.
Note: unlike overlapping TCP port ranges cases, the current version
of OVS seems to handle this case magically.
Change-Id: I6deaee8dbe8145
Closes-bug: #1708092
| Changed in neutron: | |
| status: | In Progress → Fix Released |
Fix proposed to branch: stable/pike
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit 5c16f2bd79eabc7
Author: IWAMOTO Toshihiro <email address hidden>
Date: Thu Aug 17 15:13:53 2017 +0900
ovsfw: Use multiple priorities in RULES_*_TABLE
The OpenFlow spec says packets shouldn't match against multiple flows
at the same priority or the result is undefined. In ovsfw, 8 priority
levels are needed to comply with this rule.
Note: unlike overlapping TCP port ranges cases, the current version
of OVS seems to handle this case magically.
Change-Id: I6deaee8dbe8145
Closes-bug: #1708092
(cherry picked from commit 4ac4c22a646799a
This issue was fixed in the openstack/neutron 12.0.0.0b2 development milestone.
| woody89 (a1007881221) wrote : | #18 |
good
This issue was fixed in the openstack/neutron 11.0.3 release.
Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https:/
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.
Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https:/
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.
Related fix proposed to branch: master
Review: https:/