With SG allowing one-way traffic, onward traffic can get discarded due to stale flow entry

Review in progress for https://review.opencontrail.org/24203
Submitter: Naveen N (<email address hidden>)

Review in progress for https://review.opencontrail.org/24746
Submitter: Naveen N (<email address hidden>)

Review in progress for https://review.opencontrail.org/24747
Submitter: Naveen N (<email address hidden>)

Reviewed: https://review.opencontrail.org/24203
Committed: http://github.org/Juniper/contrail-controller/commit/19c762315f578a07567713ae265568cc0f7e6640
Submitter: Zuul
Branch: master

commit 19c762315f578a07567713ae265568cc0f7e6640
Author: Naveen N <email address hidden>
Date: Fri Sep 16 12:32:05 2016 +0530

* Trap reverse flow for SG evaluation

If egress SG ACL says packet is denied and ingress ACL
allows the packet, mark the packet for Trap so that
if traffic flows in reverse direction traffic would be allowed.

Change-Id: I47db10f599e8147b5b4a2135bed2bb5597a98a2b
Closes-bug:#1623426

Reviewed: https://review.opencontrail.org/24746
Committed: http://github.org/Juniper/contrail-controller/commit/ee71dc01050f99bdb696d0be2e96addf66c0ef34
Submitter: Zuul
Branch: R3.1

commit ee71dc01050f99bdb696d0be2e96addf66c0ef34
Author: Naveen N <email address hidden>
Date: Fri Sep 16 12:32:05 2016 +0530

* Trap reverse flow for SG evaluation

If egress SG ACL says packet is denied and ingress ACL
allows the packet, mark the packet for Trap so that
if traffic flows in reverse direction traffic would be allowed.

Change-Id: I47db10f599e8147b5b4a2135bed2bb5597a98a2b
Closes-bug:#1623426

Reviewed: https://review.opencontrail.org/24747
Committed: http://github.org/Juniper/contrail-controller/commit/91442d865ed9bc3963c5e99c49a845292e5a82a8
Submitter: Zuul
Branch: R3.0

commit 91442d865ed9bc3963c5e99c49a845292e5a82a8
Author: Naveen N <email address hidden>
Date: Fri Sep 16 12:32:05 2016 +0530

* Trap reverse flow for SG evaluation

If egress SG ACL says packet is denied and ingress ACL
allows the packet, mark the packet for Trap so that
if traffic flows in reverse direction traffic would be allowed.

Change-Id: I47db10f599e8147b5b4a2135bed2bb5597a98a2b
Closes-bug:#1623426

I will be out of office till 16th October 2016, back in office on 17th October 2016.
For any assistance with Server Manager, please send email to “<email address hidden>”.

Thanks,

Abhay

On Oct 13, 2016, at 6:35 AM, Vinay Mahuli <email address hidden> wrote:

> ** Changed in: juniperopenstack/r3.0
>    Milestone: None => r3.0.4.0
>
> ** Also affects: juniperopenstack/r3.0.3.x
>   Importance: Undecided
>       Status: New
>
> ** Changed in: juniperopenstack/r3.0.3.x
>    Milestone: None => r3.0.3.1
>
> ** Changed in: juniperopenstack/r3.0.3.x
>   Importance: Undecided => High
>
> ** Changed in: juniperopenstack/r3.0.3.x
>       Status: New => Fix Committed
>
> ** Changed in: juniperopenstack/r3.0.3.x
>     Assignee: (unassigned) => Praveen (praveen-karadakal)
>
> --
> You received this bug notification because you are a member of Contrail
> Systems engineering, which is subscribed to Juniper Openstack.
> https://bugs.launchpad.net/bugs/1623426
>
> Title:
>  With SG allowing one-way traffic, onward traffic can get discarded due
>  to stale flow entry
>
> Status in Juniper Openstack:
>  Fix Committed
> Status in Juniper Openstack r3.0 series:
>  Fix Committed
> Status in Juniper Openstack r3.0.3.x series:
>  Fix Committed
> Status in Juniper Openstack r3.1 series:
>  Fix Committed
> Status in Juniper Openstack trunk series:
>  Fix Committed
>
> Bug description:
>  R3.1 (2.2x as well)
>  Case was suggested by Praveen
>
>  Have a SG which allows only egress traffic from a VM.
>
>  Ex ( sg1) : Egress      IPv4    UDP     1-65535 10.1.1.6/32
>
>  Apply sg1 to 10.1.1.4/32
>  On 10.1.1.6/32, have an SG which allows traffic to/from 10.1.1.4
>
>  1) From 10.1.1.4, send traffic to 10.1.1.6 which works. Clear the flows.
>  2) Now from 10.1.1.6 , send traffic to 10.1.1.4 so that it hits the earlier flow. The flows created similar to that in Step 1 are now marked discard
>  3) Now, send the same traffic as in Step1 which will fail until the discard-marked rules are deleted
>
>  Ex :
>  From 10.1.1.4, hping3 -p 22 --udp 10.1.1.6 -s 10000 -c 10 --keep
>  From 10.1.1.6, hping3 -p 10000 --udp 10.1.1.4 -s 22 -c 10 --keep
>
>  root@nodek1:~# flow -l --match "10.1.1.4:10000 & proto udp"
>  Flow table(size 80609280, entries 629760)
>
>  Entries: Created 23369 Added 23388 Processed 23369 Used Overflow entries 0
>  (Created Flows/CPU: 11128 2862 1015 920 807 399 782 752 48 23 30 50 23 25 28 40 645 599 548 585 480 111 798 512 1 80 8 33 16 3 5 13)(oflows 0)
>
>  Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
>   Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
>   Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
>  TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead
>
>  Listing flows matching ([10.1.1.4]:10000, Protocol UDP)
>
>      Index                Source:Port/Destination:Port                      Proto(V)
>  -----------------------------------------------------------------------------------
>     145920<=>257884       10.1.1.6:22                                        17 (5)
>                           10.1.1.4:10000
>  (Gen: 7, K(nh):43, ...