Comment 1 for bug 1958643

Hello:

Thanks for the detailed analysis. I think you are right: in the OVS firewall, we don't use the SG rules created by the SG handler. That was initially created for the iptables firewall, that is also used in the OVS firewall when using hybrid plug.

However, this "security_group_rules" list created in the port object is not used at all in the OVS FW using Open Flows. Instead we build the default rules (DHCP, ICMP, etc) and then apply the defined ones in the SG rules.

Just as OVN, this driver gets the SG rules and does not use the RPC SG object (we don't use this RPC anymore in OVN).

I think the easier approach here will be to just add this rule harcoded in the OVS FW, same as for IPv5 ICMP traffic. I'll push a patch.

Regards.