Not able to ping between VMs when creating logging with --resource-type security_group

Bug #1787106 reported by Vu Cong Tuan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Nguyen Phuong An

Bug Description

Environment setup:
VM1 <=> (Subnet1) Router1 (Subnet2) <=> VM2
1. Create Subnet1, Subnet2
2. Attach Subnet1 and Subnet2 to Router1
3. Create log_resource with event=ALL
openstack network log create --resource-type security_group --enable --event ALL Log_all_defined_resource
4. Create VM1 under Subnet1, create VM2 under Subnet2 (default security group)
5. Add ALLOW ICMP rule to default security group
6. Login to VM1, ping to VM2

Expected result: be able to ping to VM
Actual result: not able to ping to VM2

Please note that:
We can ping from Router1 to VM1 and VM2.
But when "logging to VM1", we cannot ping to VM2 and Router1.

Nguyen Phuong An (annp)
Changed in neutron:
assignee: nobody → Nguyen Phuong An (annp)
Changed in neutron:
status: New → In Progress
Revision history for this message
Pawel Suder (pasuder) wrote :

Hello Nguyen Phuong An,

I would like to rise one question - does it work (ping from VM1 to VM2 and vice versa) when there is no network login created, but only default security group is updated, with ALLOW ICMP?

Paweł

Revision history for this message
Nguyen Phuong An (annp) wrote :

Hello Pawel,

Regarding your question, It should work. Because a egress packet sent to table=91, it will be forwarded by default NORMAL flow of this table. However if we create a security group logging, then ovs flows log will be added to table=91 with higher priority. So packet will be sent to controller and never forward.

Thanks,
An

LIU Yulong (dragon889)
tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/591918
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c
Submitter: Zuul
Branch: master

commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/593533

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/593534

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.openstack.org/593533
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=684ea3980135c59c6f5f74bca38f5abf71f1b4ea
Submitter: Zuul
Branch: stable/rocky

commit 684ea3980135c59c6f5f74bca38f5abf71f1b4ea
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
    (cherry picked from commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.0.0rc2

This issue was fixed in the openstack/neutron 13.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/593534
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6465226bd26d86b87d4a85084ec553a3ccd78640
Submitter: Zuul
Branch: stable/queens

commit 6465226bd26d86b87d4a85084ec553a3ccd78640
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
    (cherry picked from commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.4

This issue was fixed in the openstack/neutron 12.0.4 release.

tags: added: neutron-proactive-backport-potential
tags: removed: in-stable-rocky neutron-proactive-backport-potential queens-backport-potential
tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.0.0b1

This issue was fixed in the openstack/neutron 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.