neutron

  1. Bug #1668958
  2. Comment #21

Comment 21 for bug 1668958

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/460905
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4f01368001304d0c42265a6498e43c93b5aec49b
Submitter: Jenkins
Branch: stable/newton

commit 4f01368001304d0c42265a6498e43c93b5aec49b
Author: Kevin Benton <email address hidden>
Date: Fri Mar 3 10:57:57 2017 -0800

    Stop killing conntrack state without CT Zone

    The conntrack clearing code was belligerenty killing connections
    without a conntrack zone specifier when it couldn't get the zone
    for a given device. This means it would kill all connections based
    on an IP address match, which meant hitting innocent bystanders
    in other tenant networks with overlapping IP addresses.

    This bad fallback was being triggered every time because it was
    using the wrong identifier for a port to look up the zone.

    This patch fixes the port lookup and adjusts the fallback behavior
    to never clear conntrack entries if we can't find the conntrack
    zone for a port.

    This triggered the bug below (in the cases I root-caused) by
    killing a metadata connection right in the middle of retrieving
    a key.

    Closes-Bug: #1668958
    Change-Id: Ia4ee9b3305e89c958ac927980d80119c53ea519b
    (cherry picked from commit ff3132d8d455012b2b29f1eb65817f8492f84fe9)
    (cherry picked from commit 5a0700ee9f1c2fc7d651003b4ede8d850199c28b)