Bug 1751942 - SG rules not obeyed when a port range is specified
Summary: SG rules not obeyed when a port range is specified
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
Target Milestone: zstream
: 15.0 (Stein)
Assignee: Assaf Muller
QA Contact: Eran Kuris
Depends On: 1756466 1757086
Blocks: 1750831
TreeView+ depends on / blocked
Reported: 2019-09-13 07:46 UTC by Jon Uriarte
Modified: 2019-12-09 19:53 UTC (History)
16 users (show)

Fixed In Version: ovn2.11-2.11.1-3.el8fdp
Doc Type: Known Issue
Doc Text:
If you use Security Group rules that span across a port range (--dst-port X:Y), an OVN bug causes traffic filtering to fail and all traffic to be dropped. Workaround: Create one rule per port instead of using a port range.
Clone Of:
Last Closed: 2019-12-09 19:53:12 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Jon Uriarte 2019-09-13 07:46:03 UTC
The bug was originally reported in OCP 4.2 (https://bugzilla.redhat.com/show_bug.cgi?id=1750831), but as it seems an issue in OSP I create this one against OSP OVN component.

Description of problem:

OCP 4.2 installation on OSP 15 fails due to some SG rules not being applied. The bootstrap node cannot communicate with etcd services running in master nodes.

When rules are created with a port range they are not being applied. If the port range includes only one port, the rule is correctly applied.

There are more info and comments on the original BZ.

Version-Release number of selected component (if applicable):
OSP 15 RHOS_TRUNK-15.0-RHEL-8-20190905.n.0

How reproducible: seen first time when running OCP 4.2 on OSP 15

Reproducer (thanks Martin André):
Create a rule than spans multiple ports:
openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2391:2392

The port is still blocked:
sh-5.0# telnet 2392

Create a rule with only one port:
openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2392:2392

We can now connect to the port:
sh-5.0# telnet 2392
telnet: connect to address Connection refused

(we got connection refused because I didn't have any services listening on that port)

Issue reproduced on panther18, feel free to login into the server for debugging.

Comment 1 Daniel Alvarez Sanchez 2019-09-13 09:44:03 UTC
Numan's working on this. There's a problem in ovn-controller with the conjunction flows.
This shows up when using multiple Security group rules that match on a port range.

We're working on a fix. Worst case if the fix is not simple, we'll disable conjunctive flows to unblock this and keep working on the actual fix.

Comment 2 Numan Siddique 2019-09-13 17:49:13 UTC
It is an OVN issue. We are working on the fix.
I will update this BZ as soon as we submit the patch upstream to fix this issue.


Comment 3 Numan Siddique 2019-09-14 10:10:05 UTC
The fix is merged upstream - https://github.com/ovn-org/ovn/commit/298701dbc99645700be41680a43d049cb061847a

Comment 13 Numan Siddique 2019-10-14 17:09:36 UTC
The BZ https://bugzilla.redhat.com/show_bug.cgi?id=1756466 is tracked in OVN2.11 component.
I am moving this BZ to python-networking-ovn to track this issue.


Comment 17 Lon Hohberger 2019-12-09 19:53:12 UTC
This has been tested to work with the current builds of openvswitch2.11 and ovn2.11 available from the Fast Datapath for RHEL8 repository.

Note You need to log in before you can comment on or make changes to this bug.