Bug 1751942

Summary: SG rules not obeyed when a port range is specified
Product: Red Hat OpenStack Reporter: Jon Uriarte <juriarte>
Component: python-networking-ovnAssignee: Assaf Muller <amuller>
Status: CLOSED CURRENTRELEASE QA Contact: Eran Kuris <ekuris>
Severity: high Docs Contact:
Priority: high    
Version: 15.0 (Stein)CC: anusaxen, apevec, chrisw, dalvarez, dsanzmor, ealcaniz, eduen, jamsmith, jschluet, lhh, majopela, mduarted, mjozefcz, rhos-maint, scohen, takito
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 15.0 (Stein)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn2.11-2.11.1-3.el8fdp Doc Type: Known Issue
Doc Text:
If you use Security Group rules that span across a port range (--dst-port X:Y), an OVN bug causes traffic filtering to fail and all traffic to be dropped. Workaround: Create one rule per port instead of using a port range.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-09 19:53:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1756466, 1757086    
Bug Blocks: 1750831    

Description Jon Uriarte 2019-09-13 07:46:03 UTC 
The bug was originally reported in OCP 4.2 (https://bugzilla.redhat.com/show_bug.cgi?id=1750831), but as it seems an issue in OSP I create this one against OSP OVN component.


Description of problem:

OCP 4.2 installation on OSP 15 fails due to some SG rules not being applied. The bootstrap node cannot communicate with etcd services running in master nodes.

When rules are created with a port range they are not being applied. If the port range includes only one port, the rule is correctly applied.

There are more info and comments on the original BZ.


Version-Release number of selected component (if applicable):
OSP 15 RHOS_TRUNK-15.0-RHEL-8-20190905.n.0


How reproducible: seen first time when running OCP 4.2 on OSP 15

Reproducer (thanks Martin André):
----------
Create a rule than spans multiple ports:
openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2391:2392

The port is still blocked:
sh-5.0# telnet 192.168.1.175 2392
Trying 192.168.1.175...
^C

Create a rule with only one port:
openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2392:2392

We can now connect to the port:
sh-5.0# telnet 192.168.1.175 2392
Trying 192.168.1.175...
telnet: connect to address 192.168.1.175: Connection refused

(we got connection refused because I didn't have any services listening on that port)


Issue reproduced on panther18, feel free to login into the server for debugging.
Comment 1 Daniel Alvarez Sanchez 2019-09-13 09:44:03 UTC 
Numan's working on this. There's a problem in ovn-controller with the conjunction flows.
This shows up when using multiple Security group rules that match on a port range.

We're working on a fix. Worst case if the fix is not simple, we'll disable conjunctive flows to unblock this and keep working on the actual fix.
Comment 2 Numan Siddique 2019-09-13 17:49:13 UTC 
It is an OVN issue. We are working on the fix.
I will update this BZ as soon as we submit the patch upstream to fix this issue.

Thanks
Comment 3 Numan Siddique 2019-09-14 10:10:05 UTC 
The fix is merged upstream - https://github.com/ovn-org/ovn/commit/298701dbc99645700be41680a43d049cb061847a
Comment 13 Numan Siddique 2019-10-14 17:09:36 UTC 
The BZ https://bugzilla.redhat.com/show_bug.cgi?id=1756466 is tracked in OVN2.11 component.
I am moving this BZ to python-networking-ovn to track this issue.

Thanks
Numan
Comment 17 Lon Hohberger 2019-12-09 19:53:12 UTC 
This has been tested to work with the current builds of openvswitch2.11 and ovn2.11 available from the Fast Datapath for RHEL8 repository.