neutron

Openvswitch firewall - removing and adding security group breaks connectivity

Bug #1915530 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Slawek Kaplonski
neutron wallaby-rc1

Bug Description

How to reproduce the issue:

1. use neutron-ovs-agent with openvswitch firewall driver,
2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
4. keep established connection and remove security group from port,
5. add security group again to the port
6. Your connection will not be "restored" becuase in the conntrack table there are entries like:

tcp 6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660 dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED] mark=1 zone=4 use=1

Connection will be restored when that entry will be deleted.

Tags: ovs-fw
Jakub Libosvar (libosvar)
Changed in neutron:
milestone: none → wallaby-rc1
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Proposed patch https://review.opendev.org/c/openstack/neutron/+/775795

Changed in neutron:
status: New → In Progress
Revision history for this message
Bernard Cafarelli (bcafarel) wrote :

Patch merged in master

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.3.3

This issue was fixed in the openstack/neutron 15.3.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.3.1

This issue was fixed in the openstack/neutron 16.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.1.1

This issue was fixed in the openstack/neutron 17.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.0.0.0rc1

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/793196
Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/bd2bfd49d3b6bfb6f76a7507cab59b654f46e8a1
Submitter: "Zuul (22348)"
Branch: master

commit bd2bfd49d3b6bfb6f76a7507cab59b654f46e8a1
Author: Alex Katz <email address hidden>
Date: Wed May 26 18:12:36 2021 +0300

    Added test for reattached security groups

    We had a bug for OSP13 with openvswitch firewall driver that the established
    connection can't be resumed after the security group has been removed from
    the port and than added back. Need to test this behavior.

    In order to keep the connection open there is a new StatefulConnection
    class

    Related-Bug: #1915530
    Change-Id: I3c2f037180b35dbbd254d8b4ce69852d31391a9a

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron queens-eol

This issue was fixed in the openstack/neutron queens-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron rocky-eol

This issue was fixed in the openstack/neutron rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron stein-eol

This issue was fixed in the openstack/neutron stein-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.