Not able to ping between VMs when creating logging with --resource-type security_group

Hello Nguyen Phuong An,

I would like to rise one question - does it work (ping from VM1 to VM2 and vice versa) when there is no network login created, but only default security group is updated, with ALLOW ICMP?

Paweł

Hello Pawel,

Regarding your question, It should work. Because a egress packet sent to table=91, it will be forwarded by default NORMAL flow of this table. However if we create a security group logging, then ovs flows log will be added to table=91 with higher priority. So packet will be sent to controller and never forward.

Thanks,
An

Reviewed: https://review.openstack.org/591918
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c
Submitter: Zuul
Branch: master

commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/593533

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/593534

Reviewed: https://review.openstack.org/593533
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=684ea3980135c59c6f5f74bca38f5abf71f1b4ea
Submitter: Zuul
Branch: stable/rocky

commit 684ea3980135c59c6f5f74bca38f5abf71f1b4ea
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
    (cherry picked from commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c)

This issue was fixed in the openstack/neutron 13.0.0.0rc2 release candidate.

Reviewed: https://review.openstack.org/593534
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6465226bd26d86b87d4a85084ec553a3ccd78640
Submitter: Zuul
Branch: stable/queens

commit 6465226bd26d86b87d4a85084ec553a3ccd78640
Author: Nguyen Phuong An <email address hidden>
Date: Wed Aug 15 13:09:38 2018 +0700

    Fix lost connection when create security group log

    Packet sent to table 91 are considered accepted by the egress pipeline
    and NORMAL action is used by default in this table. However, if we
    create a security group logging resource, then ovs flows log will be
    added into this table with higher priority. Therefore packet matches
    with ovs flows log will be sent to CONTROLLER and never forward.
    So this patch append action=NORMAL into ovs flows log to forward
    the packet and send it to CONTROLLER for logging.

    Closes-Bug: #1787106
    Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
    (cherry picked from commit 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c)

This issue was fixed in the openstack/neutron 12.0.4 release.

This issue was fixed in the openstack/neutron 14.0.0.0b1 development milestone.