Openvswitch firewall - removing and adding security group breaks connectivity
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Slawek Kaplonski |
Bug Description
How to reproduce the issue:
1. use neutron-ovs-agent with openvswitch firewall driver,
2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
4. keep established connection and remove security group from port,
5. add security group again to the port
6. Your connection will not be "restored" becuase in the conntrack table there are entries like:
tcp 6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660 dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED] mark=1 zone=4 use=1
Connection will be restored when that entry will be deleted.
Changed in neutron: | |
milestone: | none → wallaby-rc1 |
Proposed patch https:/ /review. opendev. org/c/openstack /neutron/ +/775795