Comment 0 for bug 1548173

Change in policy rule does not effect traffic on active flows.

Steps to reproduce:-

1. create a VN "vn-1"
2. create a Policy with rule:-
        source vn - vn-1
        dest-vn - vn-1
        protocol - ICMP
        action - deny
3. create 2 VM's "vm-11" and "vm-12" in "vn-1"
4. start ping to vm-12 from vm-11
5. packets should get dropped.
6. a drop flow should get created which show action as - Dropped by Policy - D(Policy)
7. agent introspect page should show the policy action for ICMP as drop
8. change the rule action to "PASS" from "DENY"
9. agent introspect page shows the policy action for ICMP as "pass"
10. but packets are still not allowed and the flow shows as dropped. - Dropped by Policy - D(Policy)

root@nodec55:~# flow -l
Flow table(size 68157440, entries 532480)

Entries: Created 6 Added 6 Processed 6 Used Overflow entries 0
(Created Flows/CPU: 1 1 2 2)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop, M=Mirror Index
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

 Index Source:Port Destination:Port Proto(V)
-------------------------------------------------------------------------
326684<=>355124 17.1.1.3:54272 17.1.1.4:0 1 (1)
(K(nh):36, Action:D(Policy), Flags:, S(nh):36, Stats:206/20188, SPort:61506)

355124<=>326684 17.1.1.4:54272 17.1.1.3:0 1 (1)
(K(nh):14, Action:D(Policy), Flags:, S(nh):14, Stats:0/0, SPort:49907)

root@nodec55:~#