Policy rule change does not affect active flows.
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Juniper Openstack | Status tracked in Trunk | |||||
| R2.20 |
Fix Released
|
Medium
|
RAVI KIRAN | |||
| R2.22.x |
Fix Released
|
Medium
|
RAVI KIRAN | |||
| R3.0 |
Fix Committed
|
Medium
|
RAVI KIRAN | |||
| Trunk |
Fix Committed
|
Medium
|
RAVI KIRAN | |||
Bug Description
Change in policy rule does not effect traffic on active flows.
Steps to reproduce:-
1. create a VN "vn-1"
2. create a Policy with rule:-
source vn - vn-1
dest-vn - vn-1
protocol - ICMP
action - deny
3. create 2 VM's "vm-11" and "vm-12" in "vn-1"
4. start ping to vm-12 from vm-11
5. packets should get dropped.
6. a drop flow should get created which show action as - Dropped by Policy - D(Policy)
7. agent introspect page should show the policy action for ICMP as drop
8. change the rule action to "PASS" from "DENY"
9. agent introspect page shows the policy action for ICMP as "pass"
10. but packets are still not allowed and the flow shows as dropped. - Dropped by Policy - D(Policy)
root@nodec55:~# flow -l
Flow table(size 68157440, entries 532480)
Entries: Created 6 Added 6 Processed 6 Used Overflow entries 0
(Created Flows/CPU: 1 1 2 2)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified
TCP(r=reverse)
Index Source:Port Destination:Port Proto(V)
-------
326684<=>355124 17.1.1.3:54272 17.1.1.4:0 1 (1)
(K(nh):36, Action:D(Policy), Flags:, S(nh):36, Stats:206/20188, SPort:61506)
355124<=>326684 17.1.1.4:54272 17.1.1.3:0 1 (1)
(K(nh):14, Action:D(Policy), Flags:, S(nh):14, Stats:0/0, SPort:49907)
root@nodec55:~#
11. if we stop and restart the ping, i.e. when new flows get created it takes up the proper action of pass. So only "live flows" are not affected by change is policy rules.
root@nodec55:~# flow -l
Flow table(size 68157440, entries 532480)
Entries: Created 7 Added 7 Processed 7 Used Overflow entries 0
(Created Flows/CPU: 2 1 2 2)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified
TCP(r=reverse)
Index Source:Port Destination:Port Proto(V)
-------
64912<=>481500 17.1.1.4:54528 17.1.1.3:0 1 (1)
(K(nh):14, Action:F, Flags:, S(nh):14, Stats:4/392, SPort:59060)
326684<=>355124 17.1.1.3:54272 17.1.1.4:0 1 (1)
(K(nh):36, Action:D(Policy), Flags:, S(nh):36, Stats:436/42728, SPort:61506)
355124<=>326684 17.1.1.4:54272 17.1.1.3:0 1 (1)
(K(nh):14, Action:D(Policy), Flags:, S(nh):14, Stats:0/0, SPort:49907)
481500<=>64912 17.1.1.3:54528 17.1.1.4:0 1 (1)
(K(nh):36, Action:F, Flags:, S(nh):36, Stats:4/392, SPort:56645)
root@nodec55:~#
| tags: | added: policy regression |
| description: | updated |
| no longer affects: | juniperopenstack/r2.21.x |
| no longer affects: | juniperopenstack/r3.0 |
| information type: | Proprietary → Public |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R3.0 | #1 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #5 |
| RAVI KIRAN (ravibk) wrote | #6 |
| RAVI KIRAN (ravibk) wrote | #7 |
| RAVI KIRAN (ravibk) wrote | #8 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] master | #9 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #11 |
Review in progress for https:/
Submitter: RAVI KIRAN (<email address hidden>)