neutron

ip_conntrack only delete one direction entry

Bug #1570171 reported by yujie on 2016-04-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	yujie

Bug Description

The test was used neutron master.
I use devstack create one net and two vm on this net, vm1 fixed-ip is: 10.0.0.3, vm2 fixed-ip is: 10.0.0.4.
Both vm bind sg1:
rule1: ingress, any protocol, any remote ip prefix
rule2: egress, any protocol, any remote ip prefix

1. vm1 ping vm2 and vm2 ping vm1, the conntrack will be:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 4 flow entries have been shown.

2. vm2 unbind sg1, the conntrack turn to:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 3 flow entries have been shown.

Now vm1 could not connect vm2, which is right; but vm2 could still ping vm1 successfully. The entry "icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1" was not delete as expect.

See original description

yujie (16189455-d) on 2016-04-14

Changed in neutron:
assignee:	nobody → yujie (16189455-d)

yujie (16189455-d) on 2016-04-14

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/305598

Revision history for this message

Brandon Logan (brandon-logan) wrote on 2016-04-14:

Just did a quick test in devstack and this does indeed happen.

Changed in neutron:
status:	New → Confirmed

Brandon Logan (brandon-logan) on 2016-04-16

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-18: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/305598
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2de33a902d63c27876cda090011beaa987802fe2
Submitter: Jenkins
Branch: master

commit 2de33a902d63c27876cda090011beaa987802fe2
Author: yujie <email address hidden>
Date: Thu Apr 14 06:35:49 2016 +0800

Delete conntrack entry on the other direction

    When one vm unbind a security-group, only one direction
    conntrack entry was deleted, which is not enough and may
    cause another direction was still could connect.
    This patch delete the left one.

Change-Id: I44d6bd0c2465294b557fd01566b72e016d34bba3
Close-Bug: #1570171

Revision history for this message

Itsuro Oda (oda-g) wrote on 2016-05-19:

yujie,

I think the fix of https://review.openstack.org/305598 is incomplete. (though it was merged already)

The following is necessary in addition to the fix.
----------------------------------------------------------------------------------------
diff --git a/neutron/agent/linux/ip_conntrack.py b/neutron/agent/linux/ip_conntrack.py
index 78cc62e..ae8edf7 100644
--- a/neutron/agent/linux/ip_conntrack.py
+++ b/neutron/agent/linux/ip_conntrack.py
@@ -58,7 +58,8 @@ class IpConntrackManager(object):
                 ip_cmd = [str(net.ip), '-w', zone_id]
                 if remote_ip and str(
                         netaddr.IPNetwork(remote_ip).version) in ethertype:
- ip_cmd.extend(['-s', str(remote_ip)])
+ dir = '-s' if rule.get('direction') == 'ingress' else '-d'
+ ip_cmd.extend([dir, str(remote_ip)])
                 conntrack_cmds.add(tuple(cmd + ip_cmd))
         return conntrack_cmds
------------------------------------------------------------------------------------------

Original code uses fixed '-s' because it assumes the direction is 'ingress' if remote_ip exists and this assumption was true.
You should change this also.

Revision history for this message

yujie (16189455-d) wrote on 2016-05-19:

Hi Itsuro, thanks pointing out the error. It needs a new patch to fix. I would give it asap and give related test cases.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-19: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/318679

Ihar Hrachyshka (ihar-hrachyshka) on 2016-06-30

tags:

added: neutron-proactive-backport-potential

OpenStack Infra (hudson-openstack) on 2016-07-31

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-09: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/318679
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4acccc7e9ce6849e6fb30d42edbf858fd4235954
Submitter: Jenkins
Branch: master

commit 4acccc7e9ce6849e6fb30d42edbf858fd4235954
Author: yujie <email address hidden>
Date: Fri Aug 5 10:41:08 2016 +0800

Delete conntrack entry with remote_ip on the other direction

    Patch [1] is incomplete for deleting conntrack entries with
    remote_ip set. This patch fixes the defect.
    [1]: I44d6bd0c2465294b557fd01566b72e016d34bba3

Change-Id: I31c579dbe28e4e8e824912b695eaba9475cf0095
Closes-Bug: #1570171

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-01: Fix included in openstack/neutron 9.0.0.0b3

This issue was fixed in the openstack/neutron 9.0.0.0b3 development milestone.

Ihar Hrachyshka (ihar-hrachyshka) on 2016-10-07

tags:

removed: neutron-proactive-backport-potential

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.