Flow handling, application of the security group bug

[Shurik12]

Description:

1. Create ipam: ipam
2. Create 2 networks: network1 (192.168.95.), network2 (192.168.96.)
3. Create Logical Router: logical_router
4. Create security group (egress IPv4 network 0.0.0.0/0 protocol any ports any ingress IPv4 network 0.0.0.0/0 protocol tcp ports any): security_group
5. Created 5 ports: 192.168.95.10, 192.168.95.20, 192.168.96.30, 192.168.96.40, 192.168.95.50
6. Apply security group to the port 192.168.95.10
7. Create virtual machine for each port

vm1: subnet-192.168.95.10 hypervisor- az-agent-1,
vm2: subnet-192.168.95.20 hypervisor- az-agent-1,
vm3: subnet-192.168.96.30 hypervisor- az-agent-1,
vm4: subnet-192.168.96.40 hypervisor- az-agent-2,
vm5: subnet-192.168.95.50 hypervisor- az-agent-2.

Send ping and udp from other vm's to vm1
ping 192.168.95.10
echo "Hello UDP" | nc -u 192.168.95.10 22
From vm2, vm4, vm5 traffic was blocked (expected behavior)
But from vm3 traffic was passed (incorrect)

1 hypervisor 2 networks.log

[mkraposhin]

Which version of OpenSDN did you use? 2024? master?

[Shurik12]

Master.
Can you check is it reproduced in your environment?

[mkraposhin]

Certainly, I can. But this will take some time.

[mkraposhin]

Are network1 (192.168.95.0/24) and network2 (192.168.96.0/24) subnetworks of the same virtual network? Or they are different virtual networks joined using a VxLAN LR?

[Shurik12]

They are different networks. Yes, connection is through logical router

[mkraposhin]

Sir, I confirm this inappropriate behaviour, thank you for reporting it.

[Shurik12]

This gerrit2029 is the possible fix for this issue

[mkraposhin]

Many thanks for the commit. While I recommended accepting the commit without changes, I strongly encourage to create a unit test that will protect this valuable changes from intended deletion in the future.