FWaaS let connection opened if delete allow rule, beacuse of conntrack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Ha Van Tu |
Bug Description
Hi,
I've faced a problem with FWaaS plugin in Neutron (Juno).
The firewall works, but when I delete a rule from the policy, the
connection will still works because of conntrack... (I tried with ping,
and ssh)
It's okay, if the connection will kept alive, if it's really alive, (an
active SSH for example) but if I delete the ICMP rule, and stop pinging,
and restart pinging, the ping will still works...
If I go to my neutron server, and do a conntrack -F command on my
relevant qrouter, the firewall starts working based on the valid rules...
Are there any way, to configure the conntrack cleanup when FWaaS
configuration modified by user?
If not, can somebody help me, where to make changes on code, to run that
command in the proper namespace after the iptables rule-generation?
Regards,
Peter
Changed in neutron: | |
assignee: | nobody → Elena Ezhova (eezhova) |
tags: | added: fwaas |
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | nobody → dnovosel (dnovosel) |
tags: |
added: fawns needs-attention removed: fwaas |
tags: |
added: fwaas removed: fawns |
Changed in neutron: | |
assignee: | dnovosel (dnovosel) → nobody |
status: | New → Incomplete |
importance: | High → Undecided |
I tried to reproduce this on stable/juno but I didn't get a problem that is described in bug report. When I deleted a rule from a policy all new connections got rejected. If this bug is still valid, could you please provide more details on how to reproduce this?