DescriptionChristophe Fontaine
2021-10-25 13:42:14 UTC
Description of problem:
When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated.
The new ACL rules are created according to the SG mode though.
Version-Release number of selected component (if applicable):
openstack-neutron-common-15.3.5-2.20210608154815.el8ost.4.noarch
openstack-neutron-15.3.5-2.20210608154815.el8ost.4.noarch
python3-neutron-15.3.5-2.20210608154815.el8ost.4.noarch
openstack-neutron-ml2-15.3.5-2.20210608154815.el8ost.4.noarch
How reproducible:
Always
Steps to Reproduce:
1. The pre created SG is stateful
$ openstack security group show default -c stateful -f value
True
In a controller, we can list the ACLs as "allow-related"
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL
_uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99
action : allow-related
direction : to-lport
external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp"
meter : []
name : []
priority : 1002
severity : []
2. Switch to stateless SG:
$ openstack security group set --stateless default
Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related).
3. We create a new rule:
openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0
Actual results:
The rules are a mix of allow-related and allow-stateless:
[heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL
_uuid : fb970be6-493c-424a-b133-66dcbe3aedee
action : allow-stateless
direction : to-lport
external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
meter : []
name : []
priority : 1002
severity : []
_uuid : 18cc8207-6489-49d9-bb57-31ed04b04726
action : allow-related
direction : to-lport
external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"}
log : false
match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp"
meter : []
name : []
priority : 1002
severity : []
Expected results:
All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2022:6543
Description of problem: When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated. The new ACL rules are created according to the SG mode though. Version-Release number of selected component (if applicable): openstack-neutron-common-15.3.5-2.20210608154815.el8ost.4.noarch openstack-neutron-15.3.5-2.20210608154815.el8ost.4.noarch python3-neutron-15.3.5-2.20210608154815.el8ost.4.noarch openstack-neutron-ml2-15.3.5-2.20210608154815.el8ost.4.noarch How reproducible: Always Steps to Reproduce: 1. The pre created SG is stateful $ openstack security group show default -c stateful -f value True In a controller, we can list the ACLs as "allow-related" [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp" meter : [] name : [] priority : 1002 severity : [] 2. Switch to stateless SG: $ openstack security group set --stateless default Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related). 3. We create a new rule: openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0 Actual results: The rules are a mix of allow-related and allow-stateless: [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : fb970be6-493c-424a-b133-66dcbe3aedee action : allow-stateless direction : to-lport external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" meter : [] name : [] priority : 1002 severity : [] _uuid : 18cc8207-6489-49d9-bb57-31ed04b04726 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp" meter : [] name : [] priority : 1002 severity : [] Expected results: All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful.