FWaaS - New blocking rules has no affect for existing traffic
Bug #1386543 reported by
Itzik Brown
This bug report is a duplicate of:
Bug #1474279: FWaaS let connection opened if delete allow rule, beacuse of conntrack.
Edit
Remove
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
When building a firewall with a rule to block a specific Traffic - the current traffic is not blocked.
For example:
Running a Ping to an instance and then building a firewall with a rule to block ICMP to this instance doesn't have affect while the ping command is still running.
Exiting the command and then trying pinging the Instance again shows the desired result - i.e. the traffic is blocked.
This is also the case for SSH.
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: fwaas |
Changed in neutron: | |
assignee: | badveli_vishnuus (badveli-vishnuus) → nobody |
status: | Triaged → New |
status: | New → Incomplete |
importance: | High → Undecided |
status: | Incomplete → New |
status: | New → Incomplete |
Changed in neutron: | |
status: | Incomplete → New |
To post a comment you must log in.
This is related to the use of the underlying iptables library. A similar bug has been filed for SG: /bugs.launchpad .net/neutron/ +bug/1335375
https:/
A common solution will work in both cases.