Bug 1695452

Summary: Unable to install new flows on compute nodes when having broken security group rules
Product: Red Hat OpenStack Reporter: Slawek Kaplonski <skaplons>
Component: openstack-neutronAssignee: Bernard Cafarelli <bcafarel>
Status: CLOSED EOL QA Contact: Roee Agiman <ragiman>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 12.0 (Pike)CC: amuller, bcafarel, chrisw, ragiman, scohen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1695451 Environment:
Last Closed: 2019-04-03 12:16:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695450, 1695451    
Bug Blocks:    

Description Slawek Kaplonski 2019-04-03 06:53:36 UTC 
+++ This bug was initially created as a clone of Bug #1695451 +++

+++ This bug was initially created as a clone of Bug #1695450 +++

It appears that we have found that neutron-openvswitch-agent appears to have a bug where two security group rules that have two different port ranges that overlap tied to the same parent security group will cause neutron to not be able to configure networks on the compute nodes where those security groups are present.
Those are the broken security rules: https://pastebin.canonical.com/p/wSy8RSXt85/
Here is the log when we discovered the issue: https://pastebin.canonical.com/p/wvFKjNWydr/

It affects only openvswitch firewall driver.

Backports proposed U/S: https://review.openstack.org/#/q/I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2