commit 4f01368001304d0c42265a6498e43c93b5aec49b
Author: Kevin Benton <email address hidden>
Date: Fri Mar 3 10:57:57 2017 -0800
Stop killing conntrack state without CT Zone
The conntrack clearing code was belligerenty killing connections
without a conntrack zone specifier when it couldn't get the zone
for a given device. This means it would kill all connections based
on an IP address match, which meant hitting innocent bystanders
in other tenant networks with overlapping IP addresses.
This bad fallback was being triggered every time because it was
using the wrong identifier for a port to look up the zone.
This patch fixes the port lookup and adjusts the fallback behavior
to never clear conntrack entries if we can't find the conntrack
zone for a port.
This triggered the bug below (in the cases I root-caused) by
killing a metadata connection right in the middle of retrieving
a key.
Closes-Bug: #1668958
Change-Id: Ia4ee9b3305e89c958ac927980d80119c53ea519b
(cherry picked from commit ff3132d8d455012b2b29f1eb65817f8492f84fe9)
(cherry picked from commit 5a0700ee9f1c2fc7d651003b4ede8d850199c28b)
Reviewed: https:/ /review. openstack. org/460905 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=4f013680013 04d0c42265a6498 e43c93b5aec49b
Committed: https:/
Submitter: Jenkins
Branch: stable/newton
commit 4f01368001304d0 c42265a6498e43c 93b5aec49b
Author: Kevin Benton <email address hidden>
Date: Fri Mar 3 10:57:57 2017 -0800
Stop killing conntrack state without CT Zone
The conntrack clearing code was belligerenty killing connections
without a conntrack zone specifier when it couldn't get the zone
for a given device. This means it would kill all connections based
on an IP address match, which meant hitting innocent bystanders
in other tenant networks with overlapping IP addresses.
This bad fallback was being triggered every time because it was
using the wrong identifier for a port to look up the zone.
This patch fixes the port lookup and adjusts the fallback behavior
to never clear conntrack entries if we can't find the conntrack
zone for a port.
This triggered the bug below (in the cases I root-caused) by
killing a metadata connection right in the middle of retrieving
a key.
Closes-Bug: #1668958 958ac927980d801 19c53ea519b b2b29f1eb65817f 8492f84fe9) 7d651003b4ede8d 850199c28b)
Change-Id: Ia4ee9b3305e89c
(cherry picked from commit ff3132d8d455012
(cherry picked from commit 5a0700ee9f1c2fc