ovsfw rejects old connections after re-add former rules

Bug #1715789 reported by He Qing on 2017-09-08
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
High
Unassigned

Bug Description

Reproduction procedure:
1.An all-in-one devstack enviroment, use latest master branch and openvswitch driver:
[securitygroup]
firewall_driver = openvswitch

2. launch two VMs with security_group SG1, which have two rules:
rule1: egress, IPv4
rule2: ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0

3.SSH to VM2 from VM1
4.Delete rule2, check that SSH connection is blocked
5.re-add rule1 to SG1, check that SSH connection is still blocked.
The reason is that the conntrack entry is not aged and marked to 1:
root@devstack:~# conntrack -L --zone=1
tcp 6 298 ESTABLISHED src=10.0.0.3 dst=10.0.0.8 sport=38844 dport=22 src=10.0.0.8 dst=10.0.0.3 sport=22 dport=38844 [ASSURED] mark=1 zone=1 use=1

Changed in neutron:
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers