OVS conjunctive flows are not cleaned up after remote group member ips deleted
Bug #1907491 reported by
Hang Yang
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Hang Yang |
Bug Description
Running with the current Neutron master and OVS firewall agent in devstack all-in-one, when creating a security group rule with a remote-group for an active VM, the conjunctive flows that match the remote-group's member IPs are created. But when deleting the remote-group's member IPs(e.g: unset fixed-ips of the port associated with the remote-group), the deleted IP's conjunctive flows are not cleaned up in OVS.
Detailed steps to reproduce in devstack: http://
summary: |
- OVS conjunctive flows are not cleaned up after remote group ips updated + OVS conjunctive flows are not cleaned up after remote group member ips + deleted |
Changed in neutron: | |
assignee: | nobody → Hang Yang (hangyang) |
Changed in neutron: | |
status: | Confirmed → In Progress |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
To post a comment you must log in.
The issue was discovered when I was working on the remote- address- group feature for OVS. Removing IPs from remote-group and remote- address- group cannot cleanup the IPs' conjunctive (1/2) flows. I made a change in my address group patch which used ANY cookie to clean IP flows, then the cleanup worked for both remote-group and remote- address- group: https:/ /review. opendev. org/c/openstack /neutron/ +/757650/ 9..10/neutron/ agent/linux/ openvswitch_ firewall/ firewall. py#1634
I want to bring up some discussion about if we can confirm it is a bug and either my change is the right way to fix it.