When any port in the OVS agent is using a SG, is marked to be deleted. This deletion process is done in [1].
The SG deletion process consists on removing any reference of this SG from the firewall and the SG port map. The firewall removes this SG in [2].
The information of a SG is stored in:
- ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX
- ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])
When a SG is removed, this reference should be deleted both from "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in [3]. But from "conj_ids" is not being deleted properly. Instead of the current logic, what we should do is to walk through the nested dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG ID to be removed).
The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).
When any port in the OVS agent is using a SG, is marked to be deleted. This deletion process is done in [1].
The SG deletion process consists on removing any reference of this SG from the firewall and the SG port map. The firewall removes this SG in [2].
The information of a SG is stored in: er.conj_ id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys: id_map[ (sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX
- ConjIPFlowManag
ConjIdMap.
- ConjIPFlowManag er.conj_ ids is a nested dictionary, built in the following way: conj_ids[ vlan_tag] [(direction, ethertype) ][remote_ sg_id] = set([conj_id_1, conj_id_2, ...])
self.
When a SG is removed, this reference should be deleted both from "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in [3]. But from "conj_ids" is not being deleted properly. Instead of the current logic, what we should do is to walk through the nested dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG ID to be removed).
The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).
[1]https:/ /github. com/openstack/ neutron/ blob/118930f03d 31f157f8c7a9e6c 57122ecea8982b9 /neutron/ agent/linux/ openvswitch_ firewall/ firewall. py#L731 /github. com/openstack/ neutron/ blob/118930f03d 31f157f8c7a9e6c 57122ecea8982b9 /neutron/ agent/linux/ openvswitch_ firewall/ firewall. py#L399 /github. com/openstack/ neutron/ blob/118930f03d 31f157f8c7a9e6c 57122ecea8982b9 /neutron/ agent/linux/ openvswitch_ firewall/ firewall. py#L296
[2]https:/
[3]https:/