Description of problem: When we switch back and forth between stateful to stateless security group, the ACL rules in OVN are not updated. The new ACL rules are created according to the SG mode though. Version-Release number of selected component (if applicable): openstack-neutron-common-15.3.5-2.20210608154815.el8ost.4.noarch openstack-neutron-15.3.5-2.20210608154815.el8ost.4.noarch python3-neutron-15.3.5-2.20210608154815.el8ost.4.noarch openstack-neutron-ml2-15.3.5-2.20210608154815.el8ost.4.noarch How reproducible: Always Steps to Reproduce: 1. The pre created SG is stateful $ openstack security group show default -c stateful -f value True In a controller, we can list the ACLs as "allow-related" [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : e31f56a6-a373-4f0f-b690-dafd7b964d99 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="459deec0-a4b2-4c5a-af5d-fe6c66346fef"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && udp" meter : [] name : [] priority : 1002 severity : [] 2. Switch to stateless SG: $ openstack security group set --stateless default Yet, the "list ACL" command shows that the rule still uses conntrack (allow-related). 3. We create a new rule: openstack security group rule create default --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0 Actual results: The rules are a mix of allow-related and allow-stateless: [heat-admin@overcloud-controller-0 ~]$ sudo podman exec -ti ovn_controller ovn-nbctl list ACL _uuid : fb970be6-493c-424a-b133-66dcbe3aedee action : allow-stateless direction : to-lport external_ids : {"neutron:security_group_rule_id"="4ef8bc9c-7450-43c5-9878-c01037b72240"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" meter : [] name : [] priority : 1002 severity : [] _uuid : 18cc8207-6489-49d9-bb57-31ed04b04726 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2698c7f8-176e-4bfb-b6c6-7314272e6dd8"} log : false match : "outport == @pg_26f1270b_efaa_4948_826d_c227e7808ca5 && ip4 && ip4.src == 0.0.0.0/0 && tcp" meter : [] name : [] priority : 1002 severity : [] Expected results: All rules should be "allow-stateless" or "allow-related" when we update the security group to stateless or stateful.
The feature was is in 17.0+ only, changing version to reflect that.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543