security group function not work on active traffic session
Bug #1536080 reported by
Xiao Li Xu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
High
|
Russell Bryant |
Bug Description
Setup info: Liberty with networking-ovn.
Steps :
[1] Create tenant.
[2] Create network, boot 8 instances on that network ,
[3] Configure Security group rules to allow all ICMP, all TCP and all UDP traffic
[4] Associate FIP
Ping to FIP from your laptop , make sure ping is going through
[5] Now modify security group rule - remove all ICMP rule from the security group
Ideally ping should time out, but I could able to ping to the FIP
Tried to ping other instances which doesn't have active ping running, ping was timing out for all the other FIPs
Changed in networking-ovn: | |
importance: | Undecided → High |
Changed in networking-ovn: | |
assignee: | nobody → Ramu Ramamurthy (ramu-ramamurthy) |
tags: | added: ovn-upstream |
Changed in networking-ovn: | |
assignee: | nobody → Ramu Ramamurthy (ramu-ramamurthy) |
Changed in networking-ovn: | |
assignee: | Ramu Ramamurthy (ramu-ramamurthy) → nobody |
Changed in networking-ovn: | |
assignee: | nobody → Russell Bryant (russellb) |
status: | Confirmed → In Progress |
To post a comment you must log in.
Indeed, we currently do nothing to conntrack state when security groups get changed. Existing connections that were allowed when they were established will remain.