ovsfw rejects old connections after re-add former rules
Bug #1715789 reported by
He Qing
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Won't Fix
|
High
|
Unassigned | ||
Bug Description
Reproduction procedure:
1.An all-in-one devstack enviroment, use latest master branch and openvswitch driver:
[securitygroup]
firewall_driver = openvswitch
2. launch two VMs with security_group SG1, which have two rules:
rule1: egress, IPv4
rule2: ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
3.SSH to VM2 from VM1
4.Delete rule2, check that SSH connection is blocked
5.re-add rule1 to SG1, check that SSH connection is still blocked.
The reason is that the conntrack entry is not aged and marked to 1:
root@devstack:~# conntrack -L --zone=1
tcp 6 298 ESTABLISHED src=10.0.0.3 dst=10.0.0.8 sport=38844 dport=22 src=10.0.0.8 dst=10.0.0.3 sport=22 dport=38844 [ASSURED] mark=1 zone=1 use=1
| Changed in neutron: | |
| importance: | Undecided → High |
Revision history for this message
| Rodolfo Alonso (rodolfo-alonso-hernandez) wrote | #1 |
| Changed in neutron: | |
| status: | New → Won't Fix |
To post a comment you must log in.
Bug closed due to lack of activity, please feel free to reopen if needed.