neutron

OVS firewall should make use of security_group_updated

Bug #1606462 reported by IWAMOTO Toshihiro on 2016-07-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Low	IWAMOTO Toshihiro

Bug Description

Look at this:

class OVSFirewallDriver(firewall.FirewallDriver):
...
    def security_group_updated(self, action_type, sec_group_ids,
                               device_ids=None):
        """This method is obsolete

        The current driver only supports enhanced rpc calls into security group
        agent. This method is never called from that place.
        """

but this is used by the enhanced rpc. See SecurityGroupAgentRpc._security_group_updated.

Also this can be checked by inserting a test raise statement into the above method.

Tags:

IWAMOTO Toshihiro (iwamoto) on 2016-07-26

tags:

added: ovs sg-fw

Revision history for this message

Jakub Libosvar (libosvar) wrote on 2016-07-26:

Is this needed because of using conjunctions?

Changed in neutron:
status:	New → Triaged

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2016-07-26:

Not directly related to the conjunction patch.

I'm suspecting sg updates are not taking effect because of this.

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2016-07-28:

1. docstring is incorrect. security_group_updated is called.

2. iptables_firewall has security_group_updated that does something. I wonder what makes this difference.

3. I'm yet to find cases that ovsfirewall fails to process SG updates correctly.

Revision history for this message

IWAMOTO Toshihiro (iwamoto) wrote on 2016-08-23:

SG member updates and especially deletion can be handled better when this method is used.

summary:

- OVS firewall doesn't handle security group updates properly
+ OVS firewall should make use of security_group_updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/395956

Changed in neutron:
assignee:	nobody → IWAMOTO Toshihiro (iwamoto)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-21: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/395956
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7db68e32023162d843d287a121fec64a6786e87c
Submitter: Jenkins
Branch: master

commit 7db68e32023162d843d287a121fec64a6786e87c
Author: IWAMOTO Toshihiro <email address hidden>
Date: Thu Nov 10 14:27:18 2016 +0900

ovsfw: small cleanups to improve readability

    security_group_updated is actually called but of no use for ovsfw.
    Fix the comment to reflect the reality. In iptables_firewall, the
    method is used to clear obsolete conntrack entries, but ovsfw implements
    that differently. Also, remove empty definition of apply_port_filter,
    which is never called.

Change-Id: I26b402e0fa5ac19022e022bf7c51e171d0f5d333
Closes-Bug: #1606462

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-15: Fix included in openstack/neutron 10.0.0.0b2

This issue was fixed in the openstack/neutron 10.0.0.0b2 development milestone.

Ihar Hrachyshka (ihar-hrachyshka) on 2017-01-17

tags:

added: neutron-proactive-backport-potential

Ihar Hrachyshka (ihar-hrachyshka) on 2017-01-18

tags:	removed: neutron-proactive-backport-potential
Changed in neutron:
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.