During the creation of a new port in the integration bridge (br-int), first the firewall rules are applied and then all flows matching this input port are deleted:
if cur_tag != lvm.vlan:
self.int_br.delete_flows(in_port=port.ofport)
This happens only when the port is created (or the vlan tag changes). If any firewall rule is applied using the in_port as a condition, during the initialization of the firewall for this port, this rule is deleted.
Instead of that, this security action should be moved to the previous function, "_add_port_tag_info", in order to avoid any firewall rule deletion and maintaining the same security level during the port creation; that means the ports doesn't allow any kind of traffic until the firewall rules are applied.
how to reproduce:
Start the Neutron agent with the OVS firewall configured.
Wait untill all ovs flows are stablished. You'll see some flows with conditions "in_port=xx". Those are set in "initialize_port_flows", in the OVS firewall.
Stop the agent. No flow must be deleted. Make a capture of all the flows.
Restart the agent. At this point, the VLAN tag should be different from the last one assigned by the agent.
Now you can compare the flows in OVS to the lsit of flows in step 3.
Fix proposed to branch: master /review. openstack. org/295154
Review: https:/