Stateleful SG API extension should be disabled when old OVN is used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Slawek Kaplonski |
Bug Description
Stateful security group API extension is supported by OVN backend since [1] and [2] but it works properly only with OVN >= 21.06 which added support for "allow-stateless" action in ACL rules.
Neutron currently supports still e.g. Ubuntu 20.04 which delivers OVN 20.03. In that case stateful SG API extension is available in Neutron and it allows users to create stateless SG but OVN will then silently ignore requested "allow-stateless" and will set "allow-related" for all ACL rules. Finally cloud's user will be using stateful SG rules even when stateless was requested and are shown in Neutron API.
Because of that Neutron should check OVN version and remove this API extension from the enabled extensions list if OVN is not 21.06 or newer.
[1] https:/
[2] https:/
Fix proposed to branch: master /review. opendev. org/c/openstack /neutron/ +/871982
Review: https:/