Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-977

SR-IOV MutiNetworkPolicy: Rules are not removed after disabling multinetworkpolicy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 4.12.z
    • 4.12.0
    • Networking / multus
    • None
    • Critical
    • None
    • CNF Network Sprint 225, CNF Network Sprint 226
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Not all rules removed from iptables after disabling multinetworkpolicy

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      100%

      Steps to Reproduce:

      1. Configure sriov (nodepolicy + sriovnetwork)
      2. Configure 2 pods
      3. enable MutiNetworkPolicy
      4. apply ~20 rules for pod1:
       spec:
        podSelector:
          matchLabels:
            pod: pod1
        policyTypes:
        - Ingress
        ingress: []
      5. Disable multinetworkpolicy
      6. send ping pod2 => pod1

      Actual results:

      Traffic is still blocked

      Expected results:

      Traffic should be passed

      Additional info:

      Before disabling multiNetworkPolicy:
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default net-attach-def:ns1/sriovnetwork2" -j MULTI-0-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default24 net-attach-def:ns1/sriovnetwork2" -j MULTI-1-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default17 net-attach-def:ns1/sriovnetwork2" -j MULTI-2-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default15 net-attach-def:ns1/sriovnetwork2" -j MULTI-3-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default14 net-attach-def:ns1/sriovnetwork2" -j MULTI-4-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default7 net-attach-def:ns1/sriovnetwork2" -j MULTI-5-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default5 net-attach-def:ns1/sriovnetwork2" -j MULTI-6-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default20 net-attach-def:ns1/sriovnetwork2" -j MULTI-7-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default19 net-attach-def:ns1/sriovnetwork2" -j MULTI-8-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default11 net-attach-def:ns1/sriovnetwork2" -j MULTI-9-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default10 net-attach-def:ns1/sriovnetwork2" -j MULTI-10-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default9 net-attach-def:ns1/sriovnetwork2" -j MULTI-11-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default6 net-attach-def:ns1/sriovnetwork2" -j MULTI-12-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default3 net-attach-def:ns1/sriovnetwork2" -j MULTI-13-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default16 net-attach-def:ns1/sriovnetwork2" -j MULTI-14-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default13 net-attach-def:ns1/sriovnetwork2" -j MULTI-15-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default2 net-attach-def:ns1/sriovnetwork2" -j MULTI-16-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default22 net-attach-def:ns1/sriovnetwork2" -j MULTI-17-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default21 net-attach-def:ns1/sriovnetwork2" -j MULTI-18-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default18 net-attach-def:ns1/sriovnetwork2" -j MULTI-19-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default12 net-attach-def:ns1/sriovnetwork2" -j MULTI-20-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default8 net-attach-def:ns1/sriovnetwork2" -j MULTI-21-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default4 net-attach-def:ns1/sriovnetwork2" -j MULTI-22-INGRESS
      -A MULTI-0-INGRESS -j DROP
      -A MULTI-1-INGRESS -j DROP
      -A MULTI-2-INGRESS -j DROP
      -A MULTI-3-INGRESS -j DROP
      -A MULTI-4-INGRESS -j DROP
      -A MULTI-5-INGRESS -j DROP
      -A MULTI-6-INGRESS -j DROP
      -A MULTI-7-INGRESS -j DROP
      -A MULTI-8-INGRESS -j DROP
      -A MULTI-9-INGRESS -j DROP
      -A MULTI-10-INGRESS -j DROP
      -A MULTI-11-INGRESS -j DROP
      -A MULTI-12-INGRESS -j DROP
      -A MULTI-13-INGRESS -j DROP
      -A MULTI-14-INGRESS -j DROP
      -A MULTI-15-INGRESS -j DROP
      -A MULTI-16-INGRESS -j DROP
      -A MULTI-17-INGRESS -j DROP
      -A MULTI-18-INGRESS -j DROP
      -A MULTI-19-INGRESS -j DROP
      -A MULTI-20-INGRESS -j DROP
      -A MULTI-21-INGRESS -j DROP
      -A MULTI-22-INGRESS -j DROP
      =============================================================
      After disabling multiNetworkPolicy:
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default5 net-attach-def:ns1/sriovnetwork2" -j MULTI-0-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default24 net-attach-def:ns1/sriovnetwork2" -j MULTI-1-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default17 net-attach-def:ns1/sriovnetwork2" -j MULTI-2-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default15 net-attach-def:ns1/sriovnetwork2" -j MULTI-3-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default7 net-attach-def:ns1/sriovnetwork2" -j MULTI-4-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default3 net-attach-def:ns1/sriovnetwork2" -j MULTI-5-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default20 net-attach-def:ns1/sriovnetwork2" -j MULTI-6-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default19 net-attach-def:ns1/sriovnetwork2" -j MULTI-7-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default9 net-attach-def:ns1/sriovnetwork2" -j MULTI-8-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default6 net-attach-def:ns1/sriovnetwork2" -j MULTI-9-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default16 net-attach-def:ns1/sriovnetwork2" -j MULTI-10-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default2 net-attach-def:ns1/sriovnetwork2" -j MULTI-11-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default22 net-attach-def:ns1/sriovnetwork2" -j MULTI-12-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default21 net-attach-def:ns1/sriovnetwork2" -j MULTI-13-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default18 net-attach-def:ns1/sriovnetwork2" -j MULTI-14-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default8 net-attach-def:ns1/sriovnetwork2" -j MULTI-15-INGRESS
      -A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default4 net-attach-def:ns1/sriovnetwork2" -j MULTI-16-INGRESS
      -A MULTI-0-INGRESS -j DROP
      -A MULTI-1-INGRESS -j DROP
      -A MULTI-2-INGRESS -j DROP
      -A MULTI-3-INGRESS -j DROP
      -A MULTI-4-INGRESS -j DROP
      -A MULTI-5-INGRESS -j DROP
      -A MULTI-6-INGRESS -j DROP
      -A MULTI-7-INGRESS -j DROP
      -A MULTI-8-INGRESS -j DROP
      -A MULTI-9-INGRESS -j DROP
      -A MULTI-10-INGRESS -j DROP
      -A MULTI-11-INGRESS -j DROP
      -A MULTI-12-INGRESS -j DROP
      -A MULTI-13-INGRESS -j DROP
      -A MULTI-14-INGRESS -j DROP
      -A MULTI-15-INGRESS -j DROP
      -A MULTI-16-INGRESS -j DROP
      

       

              apanatto@redhat.com Andrea Panattoni
              rhn-cnf-elevin Evgeny Levin
              Weibin Liang Weibin Liang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: