ovsfw rejects old connections after re-add former rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
High
|
Unassigned |
Bug Description
Reproduction procedure:
1.An all-in-one devstack enviroment, use latest master branch and openvswitch driver:
[securitygroup]
firewall_driver = openvswitch
2. launch two VMs with security_group SG1, which have two rules:
rule1: egress, IPv4
rule2: ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
3.SSH to VM2 from VM1
4.Delete rule2, check that SSH connection is blocked
5.re-add rule1 to SG1, check that SSH connection is still blocked.
The reason is that the conntrack entry is not aged and marked to 1:
root@devstack:~# conntrack -L --zone=1
tcp 6 298 ESTABLISHED src=10.0.0.3 dst=10.0.0.8 sport=38844 dport=22 src=10.0.0.8 dst=10.0.0.3 sport=22 dport=38844 [ASSURED] mark=1 zone=1 use=1
Changed in neutron: | |
importance: | Undecided → High |
Bug closed due to lack of activity, please feel free to reopen if needed.