neutron

Old conjunction left after sg update

Bug #1854131 reported by Yang Li
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Yang Li

Bug Description

1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)

2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
 cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
 cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)

3.Update VM's sg to test-security2, then the open flows showed:
 cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
 cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)

You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by the old sg VMs.

See original description
Yang Li (yang-li)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/696236

Changed in neutron:
assignee: nobody → Yang Li (yang-li)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/696236
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5cb0ff418a0794d060001a7313561c4cfb584d0e
Submitter: Zuul
Branch: master

commit 5cb0ff418a0794d060001a7313561c4cfb584d0e
Author: Yang Li <email address hidden>
Date: Wed Nov 27 14:48:05 2019 +0800

    Add more condition to check sg member exist

    Only check sg object is not enough, we should also
    check sg'ports is {} or not. Otherwise the old conjunction
    will still exist.

    Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
    Closes-Bug: #1854131

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/696974

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/696975

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/696976

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/696977

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/696975
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cf3f00f24a0ec0e595a0b4600afea7fa70184127
Submitter: Zuul
Branch: stable/train

commit cf3f00f24a0ec0e595a0b4600afea7fa70184127
Author: Yang Li <email address hidden>
Date: Wed Nov 27 14:48:05 2019 +0800

    Add more condition to check sg member exist

    Only check sg object is not enough, we should also
    check sg'ports is {} or not. Otherwise the old conjunction
    will still exist.

    Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
    Closes-Bug: #1854131
    (cherry picked from commit 5cb0ff418a0794d060001a7313561c4cfb584d0e)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/696976
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ed76c1573592b44df99f45c444e7135be1245046
Submitter: Zuul
Branch: stable/rocky

commit ed76c1573592b44df99f45c444e7135be1245046
Author: Yang Li <email address hidden>
Date: Wed Nov 27 14:48:05 2019 +0800

    Add more condition to check sg member exist

    Only check sg object is not enough, we should also
    check sg'ports is {} or not. Otherwise the old conjunction
    will still exist.

    Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
    Closes-Bug: #1854131
    (cherry picked from commit 5cb0ff418a0794d060001a7313561c4cfb584d0e)

tags: added: in-stable-rocky
tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/696977
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a5642453a8f50d112d9df39879fa27b1b70818e1
Submitter: Zuul
Branch: stable/queens

commit a5642453a8f50d112d9df39879fa27b1b70818e1
Author: Yang Li <email address hidden>
Date: Wed Nov 27 14:48:05 2019 +0800

    Add more condition to check sg member exist

    Only check sg object is not enough, we should also
    check sg'ports is {} or not. Otherwise the old conjunction
    will still exist.

    Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
    Closes-Bug: #1854131
    (cherry picked from commit 5cb0ff418a0794d060001a7313561c4cfb584d0e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/696974
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d82745b651b022bd32c8a740656f0d2b5f435906
Submitter: Zuul
Branch: stable/stein

commit d82745b651b022bd32c8a740656f0d2b5f435906
Author: Yang Li <email address hidden>
Date: Wed Nov 27 14:48:05 2019 +0800

    Add more condition to check sg member exist

    Only check sg object is not enough, we should also
    check sg'ports is {} or not. Otherwise the old conjunction
    will still exist.

    Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
    Closes-Bug: #1854131
    (cherry picked from commit 5cb0ff418a0794d060001a7313561c4cfb584d0e)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.6

This issue was fixed in the openstack/neutron 13.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.4

This issue was fixed in the openstack/neutron 14.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.1

This issue was fixed in the openstack/neutron 15.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/707248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/708484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/708488

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/708490

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/708491

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/707248
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6dbba8d5ce18805a6f104782510c055017267435
Submitter: Zuul
Branch: master

commit 6dbba8d5ce18805a6f104782510c055017267435
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

    Check SG members instead of ports to skip flow update

    Security group can have a state of empty ports but non-empty members. So
    we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/708484
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb06c497a651369682d453a283234f2414d7ace4
Submitter: Zuul
Branch: stable/train

commit fb06c497a651369682d453a283234f2414d7ace4
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

    Check SG members instead of ports to skip flow update

    Security group can have a state of empty ports but non-empty members. So
    we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/708491
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=51eb5b2f6098b9404169b5856bdb72604f30fc0c
Submitter: Zuul
Branch: stable/queens

commit 51eb5b2f6098b9404169b5856bdb72604f30fc0c
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

    Check SG members instead of ports to skip flow update

    Security group can have a state of empty ports but non-empty members. So
    we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/708490
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1adda631c431245234615cbcd8e8b7b27ad657f5
Submitter: Zuul
Branch: stable/rocky

commit 1adda631c431245234615cbcd8e8b7b27ad657f5
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

    Check SG members instead of ports to skip flow update

    Security group can have a state of empty ports but non-empty members. So
    we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/708488
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4193c6ca0e0165a2bcc7a11eee775df15019e755
Submitter: Zuul
Branch: stable/stein

commit 4193c6ca0e0165a2bcc7a11eee775df15019e755
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

    Check SG members instead of ports to skip flow update

    Security group can have a state of empty ports but non-empty members. So
    we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Dan Radez (dradez)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron queens-eol

This issue was fixed in the openstack/neutron queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.