Juniper Openstack

[Build 12]:Ubuntu:SG: inconsistent traffic flow behavior with only ingress and only egress rule on diff VMs

Bug #1323242 reported by alok kumar on 2014-05-26

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R1.1	Won't Fix	High	Naveen N	Juniper Openstack r1.10-fcs
Trunk	New	Medium	Naveen N

Bug Description

test steps:
1. create 2 security groups "onlyEgress"(allow all egress) and "onlyIngress"(allow all ingress).
2. have 2 VNs, each having 1 VM. (say vm1-vn1 and vm1-vn2)
3. attach SG onlyEgress to vm1-vn2 and SG onlyIngress to vm1-vn1.
4. ping from vm1-vn1 to vm1-vn2 and vice versa.

expected result:
traffic vm1-vn2 ------> vm1-vn1 should be allowed
traffic vm1-vn1 ------> vm1-vn2 should be denied

but sometime traffic is ALLOWED from both sides and sometime both way traffic is DENIED.

Naveen has debugged the issue and as per his comments its because of same icmp id alloted in traffic from both side.

setup info:
env.roledefs = {
    'all': [host1,host2,host3,host4,host5],
    'cfgm': [host1,host2,host5],
    'openstack':[host2],
    'control': [host2,host1],
    'compute': [host3,host4],
    'collector': [host2,host1],
    'webui': [host1],
    'database': [host1,host2],
    'build': [host_build],
}

env.hostnames = {
'all': ['nodeh1', 'nodeg18', 'nodeh8', 'nodec11', 'nodec12']
}

Tags:

alok kumar (kalok) on 2014-05-26

tags:

added: security-groups sg-rules vnsw-agent
removed: groups rules security sg

alok kumar (kalok) on 2014-05-28

Changed in juniperopenstack:
importance:	Undecided → High

Revision history for this message

Naveen N (naveenn) wrote on 2014-05-30:

1> Vrouter uses ICMP id as part of flow key.

2> If ping is initiated between two VMs from both sides, and if they use same ICMP id, then there will be flow key
collision, instead of creating two forward and two reverse flow, vrouter ends up creating only
one forward and one reverse flow.

In the problematic scenario
* VM1 to VM2 traffic was allowed
* VM2 to VM1 traffic was denied.

Ping started from VM2 to VM1 using ICMP id X, traffic was denied as per SG rule
PIng was started from VM1 to VM2 using same ICMP id X, vrouter evaluated SG rule and
set the action as forward. And traffic started passing from both direction.

Nagabhushana R (bhushana) on 2014-06-05

Changed in juniperopenstack:
milestone:	none → r1.06-fcs

Ashish Ranjan (aranjan-n) on 2014-06-12

Changed in juniperopenstack:
milestone:	r1.06-fcs → r1.10-fcs

Hari Prasad Killi (haripk) on 2014-06-19

Changed in juniperopenstack:
assignee:	nobody → N.Naveen (nnaveen-cse)
assignee:	N.Naveen (nnaveen-cse) → Naveen N (naveenn)

Ashish Ranjan (aranjan-n) on 2014-07-14

information type:

Private Security → Public

Ashish Ranjan (aranjan-n) on 2014-08-21

tags:	added: note release
tags:	added: releasenote removed: note release

Revision history for this message

alok kumar (kalok) wrote on 2014-08-22:

as per Naveen he has the fix, and was about to commit it in R1.1.

Hi Alok,

Yes I have raised a review request in mainline, I will commit to R1.1 today.

Regards
Naveen N
On Aug 19, 2014, at 11:17 PM, Alok Kumar (R&D) <email address hidden> wrote:

Naveen,

https://bugs.launchpad.net/juniperopenstack/+bug/1323242

Is this bug fixed or planned to fix for R1.10?

-Alok

Nagabhushana R (bhushana) on 2015-03-04

tags:

removed: releasenote

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.