When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced.
Bug #1696093 reported by
wujun
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
wujun |
Bug Description
environment: devstack master
When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced.
We can trigger the firewall_update action by:
1.#neutron firewall-update f1 --no-routers
2.vm ping external ip address all the time
3.#neutron firewall-update f1 --router demo-router
We can found that vm still can ping external ip address successfully.
notice:
We should make sure that never stop ping and the interval of ping is small. If it is still not reproduced, we can modify the code to add a "sleep" before the function "_setup_
Changed in neutron: | |
assignee: | nobody → wujun (wujun) |
Changed in neutron: | |
status: | New → In Progress |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/471301
Review: https:/