ovsfw rejects old connections after re-add former rules

Bug #1715789 reported by He Qing on 2017-09-08
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

Reproduction procedure:
1.An all-in-one devstack enviroment, use latest master branch and openvswitch driver:
firewall_driver = openvswitch

2. launch two VMs with security_group SG1, which have two rules:
rule1: egress, IPv4
rule2: ingress, IPv4, 22/tcp, remote_ip_prefix:

3.SSH to VM2 from VM1
4.Delete rule2, check that SSH connection is blocked
5.re-add rule1 to SG1, check that SSH connection is still blocked.
The reason is that the conntrack entry is not aged and marked to 1:
root@devstack:~# conntrack -L --zone=1
tcp 6 298 ESTABLISHED src= dst= sport=38844 dport=22 src= dst= sport=22 dport=38844 [ASSURED] mark=1 zone=1 use=1

Changed in neutron:
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers