neutron

  1. Bug #1854131
  2. Activity log

Activity log for bug #1854131

Date Who What changed Old value New value Message
2019-11-27 06:02:13 Yang Li bug added bug
2019-11-27 06:02:59 Yang Li description 1.Create 2 security groups: test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1) test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2) 2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed: cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2) cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2) 3.Update VM's sg to test-security2, then the open flows showed: cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2) cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2) You can see the old conjunction for test-security1 still exists: conjunction(15,1/2) This will cause security problem for VM, because it still can be reached by the old sg VMs. 1.Create 2 security groups: test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1) test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2) 2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2) 3.Update VM's sg to test-security2, then the open flows showed:  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2) You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2) This will cause security problem for VM, because it still can be reached by the old sg VMs.
2019-11-27 07:04:44 OpenStack Infra neutron: status New In Progress
2019-11-27 07:04:44 OpenStack Infra neutron: assignee Yang Li (yang-li)
2019-12-02 10:51:27 OpenStack Infra neutron: status In Progress Fix Released
2019-12-03 16:17:02 OpenStack Infra tags in-stable-train
2019-12-03 16:27:32 OpenStack Infra tags in-stable-train in-stable-rocky in-stable-train
2019-12-03 16:27:43 OpenStack Infra tags in-stable-rocky in-stable-train in-stable-queens in-stable-rocky in-stable-train
2019-12-04 01:31:21 OpenStack Infra tags in-stable-queens in-stable-rocky in-stable-train in-stable-queens in-stable-rocky in-stable-stein in-stable-train
2020-02-19 09:20:39 Dr. Jens Harbott bug added subscriber Dr. Jens Harbott
2020-04-21 11:06:46 Bernard Cafarelli tags in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-queens in-stable-rocky in-stable-stein in-stable-train neutron-proactive-backport-potential
2020-09-01 17:52:35 Dan Radez tags in-stable-queens in-stable-rocky in-stable-stein in-stable-train neutron-proactive-backport-potential in-stable-queens in-stable-rocky in-stable-stein in-stable-train