Bug 1751942
Summary: | SG rules not obeyed when a port range is specified | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Jon Uriarte <juriarte> |
Component: | python-networking-ovn | Assignee: | Assaf Muller <amuller> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Eran Kuris <ekuris> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 15.0 (Stein) | CC: | anusaxen, apevec, chrisw, dalvarez, dsanzmor, ealcaniz, eduen, jamsmith, jschluet, lhh, majopela, mduarted, mjozefcz, rhos-maint, scohen, takito |
Target Milestone: | zstream | Keywords: | Triaged, ZStream |
Target Release: | 15.0 (Stein) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovn2.11-2.11.1-3.el8fdp | Doc Type: | Known Issue |
Doc Text: |
If you use Security Group rules that span across a port range (--dst-port X:Y), an OVN bug causes traffic filtering to fail and all traffic to be dropped.
Workaround: Create one rule per port instead of using a port range.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-09 19:53:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1756466, 1757086 | ||
Bug Blocks: | 1750831 |
Description
Jon Uriarte
2019-09-13 07:46:03 UTC
Numan's working on this. There's a problem in ovn-controller with the conjunction flows. This shows up when using multiple Security group rules that match on a port range. We're working on a fix. Worst case if the fix is not simple, we'll disable conjunctive flows to unblock this and keep working on the actual fix. It is an OVN issue. We are working on the fix. I will update this BZ as soon as we submit the patch upstream to fix this issue. Thanks The fix is merged upstream - https://github.com/ovn-org/ovn/commit/298701dbc99645700be41680a43d049cb061847a The BZ https://bugzilla.redhat.com/show_bug.cgi?id=1756466 is tracked in OVN2.11 component. I am moving this BZ to python-networking-ovn to track this issue. Thanks Numan This has been tested to work with the current builds of openvswitch2.11 and ovn2.11 available from the Fast Datapath for RHEL8 repository. |