I spot this issue once locally for now. From analyze of logs I can suspect that there can be some issue with neutron.agent.resource_cache:
- in test logs I can see call made to neutron-server to apply SG on port:
2018-01-17 22:08:11.956 3981 DEBUG neutronclient.client [-] REQ: curl -i http://127.0.0.1:15603/v2.0/ports/70cd10e8-c511-4bfa-a11f-f287f1aeafd8 -X PUT -H "X-Auth-Token: {SHA1}da39a3ee5e6b4b0d3255bfef95601890afd80709" -H "User-Agent: python-neutronclient" -d '{"port": {"security_groups": ["d7c4f90c-8c73-4dd9-8472-297ee226e7ae"], "port_security_enabled": true}}' http_log_req /opt/stack/neutron/.tox/dsvm-fullstack/local/lib/python2.7/site-packages/neutronclient/common/utils.py:195
- in openvswitch agent I can see, just after this call something like:
2018-01-17 22:08:12.707 6083 DEBUG neutron.agent.resource_cache [req-5086edc1-0bd2-427a-a352-409130a50b67 - - - - -] Received resource Port update without any changes: 70cd10e8-c511-4bfa-a11f-f287f1aeafd8 record_resource_update /opt/stack/neutron/neutron/agent/resource_cache.py:177
And after that port still has in iptables rules to accept all traffic as it is for port with disabled port security:
21 3672 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap70cd10e8-c5 --physdev-is-bridged /* Accept all packets when port security is disabled. */
20 1949 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap70cd10e8-c5 --physdev-is-bridged /* Accept all packets when port security is disabled. */
I spot this issue once locally for now. From analyze of logs I can suspect that there can be some issue with neutron. agent.resource_ cache:
- in test logs I can see call made to neutron-server to apply SG on port: client [-] REQ: curl -i http:// 127.0.0. 1:15603/ v2.0/ports/ 70cd10e8- c511-4bfa- a11f-f287f1aeaf d8 -X PUT -H "X-Auth-Token: {SHA1}da39a3ee5 e6b4b0d3255bfef 95601890afd8070 9" -H "User-Agent: python- neutronclient" -d '{"port": {"security_groups": ["d7c4f90c- 8c73-4dd9- 8472-297ee226e7 ae"], "port_security_ enabled" : true}}' http_log_req /opt/stack/ neutron/ .tox/dsvm- fullstack/ local/lib/ python2. 7/site- packages/ neutronclient/ common/ utils.py: 195
2018-01-17 22:08:11.956 3981 DEBUG neutronclient.
- in openvswitch agent I can see, just after this call something like: agent.resource_ cache [req-5086edc1- 0bd2-427a- a352-409130a50b 67 - - - - -] Received resource Port update without any changes: 70cd10e8- c511-4bfa- a11f-f287f1aeaf d8 record_ resource_ update /opt/stack/ neutron/ neutron/ agent/resource_ cache.py: 177
2018-01-17 22:08:12.707 6083 DEBUG neutron.
And after that port still has in iptables rules to accept all traffic as it is for port with disabled port security:
21 3672 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap70cd10e8-c5 --physdev- is-bridged /* Accept all packets when port security is disabled. */ is-bridged /* Accept all packets when port security is disabled. */
20 1949 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap70cd10e8-c5 --physdev-