Juniper Openstack

Incorrect vrf translations done if policy has multiple services for a specific port

Series r3.0.3.x
Bug #1647500

Bug #1647500 reported by amit surana on 2016-12-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	High	Sahil Sabharwal	Juniper Openstack r3.0.4.0
R3.0.3.x	Fix Committed	High	Sahil Sabharwal	Juniper Openstack r3.0.3.3
R3.1	Fix Committed	High	Sahil Sabharwal	Juniper Openstack r3.1.2.0
R3.2	Fix Committed	High	Sahil Sabharwal	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Fix Committed	High	Sahil Sabharwal	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

consider a network policy of type:

pass protocol any network serial-left ports any <> network serial-right ports [ 5100 ] services serial-1,serial-2

serial-1 and serial-2 are both in-network services. Return traffic is returned from serial-2 directly to the client causing invalid source drops in vRouter. The issue seems to be with the interface ACL which are missing an ACE for source port 5100. As such, wrong vrf translations are being done.

On compute running serial-2:

    Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
    82484<=>140580 1.1.1.5:1101 17 (7->10)
                         2.2.2.5:5100
(Gen: 2, K(nh):107, Action:F, Flags:, QOS:-1, S(nh):18, Stats:157/4396, SPort 53679 TTL 0)

140580<=>82484 2.2.2.5:5100 17 (7)
1.1.1.5:1101
(Gen: 2, K(nh):107, Action:F, Flags:, QOS:-1, S(nh):107, Stats:157/10990, SPort 56682 TTL 0)

185640<=>228540 1.1.1.5:1101 17 (6->19)
2.2.2.5:5100
(Gen: 1, K(nh):129, Action:F, Flags:, QOS:-1, S(nh):129, Stats:157/6594, SPort 59791 TTL 0)

228540<=>185640 2.2.2.5:5100 17 (6)
1.1.1.5:1101
(Gen: 1, K(nh):129, Action:F, Flags:, QOS:-1, S(nh):20, Stats:157/8792, SPort 56481 TTL 0)

2nd flow should've been 7->10 and 4th flow should've been 6->19; instead the packet is routed in the primary VRF directly to the client.

Tags:

Hari Prasad Killi (haripk) on 2016-12-07

tags:	added: config
tags:	removed: vrouter

Nischal Sheth (nsheth) on 2016-12-07

tags:

added: service-chain

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14: [Review update] R3.2

Review in progress for https://review.opencontrail.org/27226
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14: A change has been merged

Reviewed: https://review.opencontrail.org/27226
Committed: http://github.org/Juniper/contrail-controller/commit/c089528905b7199b153e2d8d639896bb0fa170fc
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit c089528905b7199b153e2d8d639896bb0fa170fc
Author: Sahil Sabharwal <email address hidden>
Date: Tue Dec 13 16:13:46 2016 -0800

Added match condition when service interface->left

Submitting it for R3.2 branch without unit test.
Will add it for master and other affected branches.

Change-Id: Ib4156c241b70f6ab57aa322c7cad175f1e6dd192
Closes-Bug: 1647500

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-15: [Review update] R3.0

Review in progress for https://review.opencontrail.org/27348
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-15: [Review update] R3.1

Review in progress for https://review.opencontrail.org/27349
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-15: [Review update] R3.0.3.x

Review in progress for https://review.opencontrail.org/27350
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-16: A change has been merged

#10

Reviewed: https://review.opencontrail.org/27348
Committed: http://github.org/Juniper/contrail-controller/commit/21fa07e9c9d260c6dcca929b2c20ffe397212398
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit 21fa07e9c9d260c6dcca929b2c20ffe397212398
Author: Sahil Sabharwal <email address hidden>
Date: Tue Dec 13 16:13:46 2016 -0800

Added match condition when service interface->left

Submitting it for R3.2 branch without unit test.
Will add it for master and other affected branches.

Change-Id: Ib4156c241b70f6ab57aa322c7cad175f1e6dd192
Closes-Bug: 1647500
(cherry picked from commit c089528905b7199b153e2d8d639896bb0fa170fc)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-16:

#11

Reviewed: https://review.opencontrail.org/27349
Committed: http://github.org/Juniper/contrail-controller/commit/656659fee8ea12844a138e74603405f6def6fd25
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit 656659fee8ea12844a138e74603405f6def6fd25
Author: Sahil Sabharwal <email address hidden>
Date: Tue Dec 13 16:13:46 2016 -0800

Added match condition when service interface->left

Submitting it for R3.2 branch without unit test.
Will add it for master and other affected branches.

Change-Id: Ib4156c241b70f6ab57aa322c7cad175f1e6dd192
Closes-Bug: 1647500
(cherry picked from commit c089528905b7199b153e2d8d639896bb0fa170fc)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-21: [Review update] master

#12

Review in progress for https://review.opencontrail.org/27493
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-23: A change has been merged

#20

Reviewed: https://review.opencontrail.org/27493
Committed: http://github.org/Juniper/contrail-controller/commit/cf90a93e25527b83311d2e49f78d2ec6a885553d
Submitter: Zuul (<email address hidden>)
Branch: master

commit cf90a93e25527b83311d2e49f78d2ec6a885553d
Author: Sahil Sabharwal <email address hidden>
Date: Tue Dec 13 16:13:46 2016 -0800

Added match condition when service interface->left

Added unit test case for master branch.

Change-Id: Ib4156c241b70f6ab57aa322c7cad175f1e6dd192
Closes-Bug: 1647500

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-02-06:

#21

Reviewed: https://review.opencontrail.org/27350
Committed: http://github.org/Juniper/contrail-controller/commit/d567f424abfcc5eb53a3fab99167c84492d030b0
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit d567f424abfcc5eb53a3fab99167c84492d030b0
Author: Sahil Sabharwal <email address hidden>
Date: Tue Dec 13 16:13:46 2016 -0800

Added match condition when service interface->left

Submitting it for R3.2 branch without unit test.
Will add it for master and other affected branches.

Change-Id: Ib4156c241b70f6ab57aa322c7cad175f1e6dd192
Closes-Bug: 1647500
(cherry picked from commit c089528905b7199b153e2d8d639896bb0fa170fc)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.