ovsfw sometimes rejects legitimate traffic when multiple remote SG rules are in use
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
IWAMOTO Toshihiro |
Bug Description
ovsfw uses conjunction to represent SG rules with remote_group_id.
When there are multiple rules which differ only in remote_group_id, the ovsfw code generates flows with the same match fields and different conjuction actions. Such flows don't work well as the openflow spec says so.
An sequence to reproduce the bug:
$ openstack security group create sg1
$ openstack security group create sg2
$ openstack security group rule create --remote-group sg2 --dst-port 22:80 --protocol tcp --ingress sg1
$ openstack security group rule create --remote-group sg1 --dst-port 80 --protocol tcp --ingress sg1
Boot 3 instances: hoge1 (sg1), hoge2 (sg2), hoge12 (sg1 and sg2)
Start "nc -l -p 80" on hoge12.
Try to connect to hoge12:80 from hoge1 and hoge2. Either one should fail.
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
milestone: | none → queens-2 |
Related fix proposed to branch: master /review. openstack. org/489918
Review: https:/