neutron

iptables for secgroup not be set properly when set --no-security-group

Bug #1398312 reported by yalei wang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
yalei wang
neutron 2015.1.0 "kilo"
Juno
Fix Released
Undecided
Unassigned
neutron 2014.2.2

Bug Description

In the lastest code, iptables for secgroup not be set properly when set --no-security-group.

steps:

1. edit the 'default' secgroup, and add one rule for icmp.

#neutron security-group-rule-create --direction ingress --protocol icmp --port_range_min 0 --port_range_max 255 4db9f9f6-641a-4482-af04-c64628d42b6
a

there will be one rule added for the ingress port iptale.

Chain neutron-openvswi-i5edf1431-d (1 references)
 pkts bytes target prot opt in out source destination
...
    0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
...

2. remove the sec group of the port.

#neutron port-update 5edf1431-dd9e-4a1c-995b-c6155152483f --no-security-group

I expect the rule created in step1 will be deleted which is created in step1, but not.

3. after reboot the ovs-agent, all the chain and rules about the port 5edf1431-dd9e-4a1c-995b-c6155152483f will be removed, for example, rules in neutron-openvswi-sg-chain, and including the auti-spoof chain,

I think it is because security_group_info_for_devices will return nothing if the sec-group is empty, instead of returning a dict with empty [sec-group-rules].

I am not sure if it's a bug, experts could help here.

See original description
yalei wang (yalei-wang)
description: updated
Changed in neutron:
assignee: nobody → yalei wang (yalei-wang)
yalei wang (yalei-wang)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/138633

Changed in neutron:
status: New → In Progress
yalei wang (yalei-wang)
description: updated
Oleg Bondarev (obondarev)
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/138633
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=997e70751c74004983b1e4079b084431ed0c7d27
Submitter: Jenkins
Branch: master

commit 997e70751c74004983b1e4079b084431ed0c7d27
Author: Yalei Wang <email address hidden>
Date: Wed Dec 3 13:29:30 2014 +0800

    return the dict of port when no sec-group involved

    Commit abc16ebf made the get_sg_ids_grouped_by_port function not return
    entries for ports without security groups. This causes the agent to not remove
    previously created security groups for that port since the port is not
    returned in the security_group_info_for_devices data.

    This change fixes that by always including a list of security groups for each
    port, even if that list is empty.

    Change-Id: I9616708462a8b6f3d46ebd76db5cf8cb2826f4ad
    Closes-Bug: #1398312

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/139573

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/juno)

Reviewed: https://review.openstack.org/139573
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c6ef4e8d9fa638db29d1211b53f3bcfc47da01f7
Submitter: Jenkins
Branch: stable/juno

commit c6ef4e8d9fa638db29d1211b53f3bcfc47da01f7
Author: Yalei Wang <email address hidden>
Date: Wed Dec 3 13:29:30 2014 +0800

    return the dict of port when no sec-group involved

    Commit abc16ebf made the get_sg_ids_grouped_by_port function not return
    entries for ports without security groups. This causes the agent to not remove
    previously created security groups for that port since the port is not
    returned in the security_group_info_for_devices data.

    This change fixes that by always including a list of security groups for each
    port, even if that list is empty.

    Change-Id: I9616708462a8b6f3d46ebd76db5cf8cb2826f4ad
    Closes-Bug: #1398312
    (cherry picked from commit 997e70751c74004983b1e4079b084431ed0c7d27)

tags: added: in-stable-juno
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.