Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-977

SR-IOV MutiNetworkPolicy: Rules are not removed after disabling multinetworkpolicy

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • 4.12.z
    • 4.12.0
    • Networking / multus
    • None
    • Critical
    • CNF Network Sprint 225, CNF Network Sprint 226
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Not all rules removed from iptables after disabling multinetworkpolicy

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      100%

      Steps to Reproduce:

      1. Configure sriov (nodepolicy + sriovnetwork)
2. Configure 2 pods
3. enable MutiNetworkPolicy
4. apply ~20 rules for pod1:
 spec:
  podSelector:
    matchLabels:
      pod: pod1
  policyTypes:
  - Ingress
  ingress: []
5. Disable multinetworkpolicy
6. send ping pod2 => pod1

      Actual results:

      Traffic is still blocked

      Expected results:

      Traffic should be passed

      Additional info:

      Before disabling multiNetworkPolicy:
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default net-attach-def:ns1/sriovnetwork2" -j MULTI-0-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default24 net-attach-def:ns1/sriovnetwork2" -j MULTI-1-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default17 net-attach-def:ns1/sriovnetwork2" -j MULTI-2-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default15 net-attach-def:ns1/sriovnetwork2" -j MULTI-3-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default14 net-attach-def:ns1/sriovnetwork2" -j MULTI-4-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default7 net-attach-def:ns1/sriovnetwork2" -j MULTI-5-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default5 net-attach-def:ns1/sriovnetwork2" -j MULTI-6-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default20 net-attach-def:ns1/sriovnetwork2" -j MULTI-7-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default19 net-attach-def:ns1/sriovnetwork2" -j MULTI-8-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default11 net-attach-def:ns1/sriovnetwork2" -j MULTI-9-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default10 net-attach-def:ns1/sriovnetwork2" -j MULTI-10-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default9 net-attach-def:ns1/sriovnetwork2" -j MULTI-11-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default6 net-attach-def:ns1/sriovnetwork2" -j MULTI-12-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default3 net-attach-def:ns1/sriovnetwork2" -j MULTI-13-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default16 net-attach-def:ns1/sriovnetwork2" -j MULTI-14-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default13 net-attach-def:ns1/sriovnetwork2" -j MULTI-15-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default2 net-attach-def:ns1/sriovnetwork2" -j MULTI-16-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default22 net-attach-def:ns1/sriovnetwork2" -j MULTI-17-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default21 net-attach-def:ns1/sriovnetwork2" -j MULTI-18-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default18 net-attach-def:ns1/sriovnetwork2" -j MULTI-19-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default12 net-attach-def:ns1/sriovnetwork2" -j MULTI-20-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default8 net-attach-def:ns1/sriovnetwork2" -j MULTI-21-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default4 net-attach-def:ns1/sriovnetwork2" -j MULTI-22-INGRESS
-A MULTI-0-INGRESS -j DROP
-A MULTI-1-INGRESS -j DROP
-A MULTI-2-INGRESS -j DROP
-A MULTI-3-INGRESS -j DROP
-A MULTI-4-INGRESS -j DROP
-A MULTI-5-INGRESS -j DROP
-A MULTI-6-INGRESS -j DROP
-A MULTI-7-INGRESS -j DROP
-A MULTI-8-INGRESS -j DROP
-A MULTI-9-INGRESS -j DROP
-A MULTI-10-INGRESS -j DROP
-A MULTI-11-INGRESS -j DROP
-A MULTI-12-INGRESS -j DROP
-A MULTI-13-INGRESS -j DROP
-A MULTI-14-INGRESS -j DROP
-A MULTI-15-INGRESS -j DROP
-A MULTI-16-INGRESS -j DROP
-A MULTI-17-INGRESS -j DROP
-A MULTI-18-INGRESS -j DROP
-A MULTI-19-INGRESS -j DROP
-A MULTI-20-INGRESS -j DROP
-A MULTI-21-INGRESS -j DROP
-A MULTI-22-INGRESS -j DROP
=============================================================
After disabling multiNetworkPolicy:
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default5 net-attach-def:ns1/sriovnetwork2" -j MULTI-0-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default24 net-attach-def:ns1/sriovnetwork2" -j MULTI-1-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default17 net-attach-def:ns1/sriovnetwork2" -j MULTI-2-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default15 net-attach-def:ns1/sriovnetwork2" -j MULTI-3-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default7 net-attach-def:ns1/sriovnetwork2" -j MULTI-4-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default3 net-attach-def:ns1/sriovnetwork2" -j MULTI-5-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default20 net-attach-def:ns1/sriovnetwork2" -j MULTI-6-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default19 net-attach-def:ns1/sriovnetwork2" -j MULTI-7-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default9 net-attach-def:ns1/sriovnetwork2" -j MULTI-8-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default6 net-attach-def:ns1/sriovnetwork2" -j MULTI-9-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default16 net-attach-def:ns1/sriovnetwork2" -j MULTI-10-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default2 net-attach-def:ns1/sriovnetwork2" -j MULTI-11-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default22 net-attach-def:ns1/sriovnetwork2" -j MULTI-12-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default21 net-attach-def:ns1/sriovnetwork2" -j MULTI-13-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default18 net-attach-def:ns1/sriovnetwork2" -j MULTI-14-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default8 net-attach-def:ns1/sriovnetwork2" -j MULTI-15-INGRESS
-A MULTI-INGRESS -i int1 -m comment --comment "policy:deny-by-default4 net-attach-def:ns1/sriovnetwork2" -j MULTI-16-INGRESS
-A MULTI-0-INGRESS -j DROP
-A MULTI-1-INGRESS -j DROP
-A MULTI-2-INGRESS -j DROP
-A MULTI-3-INGRESS -j DROP
-A MULTI-4-INGRESS -j DROP
-A MULTI-5-INGRESS -j DROP
-A MULTI-6-INGRESS -j DROP
-A MULTI-7-INGRESS -j DROP
-A MULTI-8-INGRESS -j DROP
-A MULTI-9-INGRESS -j DROP
-A MULTI-10-INGRESS -j DROP
-A MULTI-11-INGRESS -j DROP
-A MULTI-12-INGRESS -j DROP
-A MULTI-13-INGRESS -j DROP
-A MULTI-14-INGRESS -j DROP
-A MULTI-15-INGRESS -j DROP
-A MULTI-16-INGRESS -j DROP

       

      Attachments

        Activity

          People

            apanatto@redhat.com Andrea Panattoni
            rhn-cnf-elevin Evgeny Levin
            Weibin Liang Weibin Liang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: