Openvswitch firewall - removing and adding security group breaks connectivity

Bug #1915530 reported by Slawek Kaplonski on 2021-02-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Low
Slawek Kaplonski

Bug Description

How to reproduce the issue:

1. use neutron-ovs-agent with openvswitch firewall driver,
2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
4. keep established connection and remove security group from port,
5. add security group again to the port
6. Your connection will not be "restored" becuase in the conntrack table there are entries like:

tcp 6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660 dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED] mark=1 zone=4 use=1

Connection will be restored when that entry will be deleted.

Changed in neutron:
milestone: none → wallaby-rc1
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
status: New → In Progress
Bernard Cafarelli (bcafarel) wrote :

Patch merged in master

Changed in neutron:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron 15.3.3 release.

This issue was fixed in the openstack/neutron 16.3.1 release.

This issue was fixed in the openstack/neutron 17.1.1 release.

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers