Dropping a rule from security group rules don't drop the connection in the IptablesFirewallDriver (they do for Hybrid)

Bug #1556013 reported by Miguel Angel Ajo
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Medium
Unassigned

Bug Description

This happens because connection tracking zones don't work in the
IptablesFirewallDriver (they do for Hybrid).

The subclass for the hybrid driver is the one introducing the zone
rules [1]

I remember it was discussed during this review [2], but I cannot see if
there was any technical detail why we could not do the same thing on
the plain IptablesFirewallDriver itself.

[1] https://github.com/openstack/neutron/blob/01a5d9a3c088e54ae78c068408d419ccc53f8ca8/neutron/agent/linux/iptables_firewall.py#L905

[2] https://review.openstack.org/#/c/118274/

Changed in neutron:
importance: Undecided → Medium
tags: added: linuxbridge sg-fw
summary: - Connection tracking zones don't work in the IptablesFirewallDriver (they
- do for Hybrid)
+ Dropping a rule from security group rules don't drop the connection in
+ the IptablesFirewallDriver (they do for Hybrid)
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.