yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #16522
[Bug 1333365] [NEW] Deleting a VM port does not remove Security rules in ip tables
Public bug reported:
Deleting a VM port does not remove security rules associated to VM port
in ip tables.
Setup :
ICEHOUSE GA with KVM Compute node,network node, controller
1. Spawn a VM with security group attached.
2. Delete a VM port
3. Verify the ip tables
VM IP : 10.10.1.4
Rules attached : TCP and icmp rule
root@ICN-KVM:~# ovs-vsctl show
f3b34ea5-9799-460d-99bb-26359fd26e38
Bridge "br-eth1"
Port "br-eth1"
Interface "br-eth1"
type: internal
Port "phy-br-eth1"
Interface "phy-br-eth1"
Port "eth1"
Interface "eth1"
Bridge br-int
Port br-int
Interface br-int
type: internal
Port "qvof28b18dc-c3" <<<<<<<<<<<<<<<<<<< VM tap port
tag: 1
Interface "qvof28b18dc-c3"
Port "int-br-eth1"
Interface "int-br-eth1"
ovs_version: "2.0.1"
root@ICN-KVM:~#
After Deleting a port security rules are still present in iptables.
---------------------------------------------------------------------
oot@ICN-KVM:~# iptables-save | grep 28b18dc
:neutron-openvswi-if28b18dc-c - [0:0]
:neutron-openvswi-of28b18dc-c - [0:0]
:neutron-openvswi-sf28b18dc-c - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
-A neutron-openvswi-if28b18dc-c -m state --state INVALID -j DROP
-A neutron-openvswi-if28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if28b18dc-c -p tcp -m tcp -j RETURN
-A neutron-openvswi-if28b18dc-c -p icmp -j RETURN
-A neutron-openvswi-if28b18dc-c -s 10.10.1.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if28b18dc-c -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sf28b18dc-c
-A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of28b18dc-c -m state --state INVALID -j DROP
-A neutron-openvswi-of28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of28b18dc-c -j RETURN
-A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sf28b18dc-c -s 10.10.1.4/32 -m mac --mac-source FA:16:3E:D4:47:F8 -j RETURN
-A neutron-openvswi-sf28b18dc-c -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-if28b18dc-c
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
root@ICN-KVM:~#
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1333365
Title:
Deleting a VM port does not remove Security rules in ip tables
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Deleting a VM port does not remove security rules associated to VM
port in ip tables.
Setup :
ICEHOUSE GA with KVM Compute node,network node, controller
1. Spawn a VM with security group attached.
2. Delete a VM port
3. Verify the ip tables
VM IP : 10.10.1.4
Rules attached : TCP and icmp rule
root@ICN-KVM:~# ovs-vsctl show
f3b34ea5-9799-460d-99bb-26359fd26e38
Bridge "br-eth1"
Port "br-eth1"
Interface "br-eth1"
type: internal
Port "phy-br-eth1"
Interface "phy-br-eth1"
Port "eth1"
Interface "eth1"
Bridge br-int
Port br-int
Interface br-int
type: internal
Port "qvof28b18dc-c3" <<<<<<<<<<<<<<<<<<< VM tap port
tag: 1
Interface "qvof28b18dc-c3"
Port "int-br-eth1"
Interface "int-br-eth1"
ovs_version: "2.0.1"
root@ICN-KVM:~#
After Deleting a port security rules are still present in iptables.
---------------------------------------------------------------------
oot@ICN-KVM:~# iptables-save | grep 28b18dc
:neutron-openvswi-if28b18dc-c - [0:0]
:neutron-openvswi-of28b18dc-c - [0:0]
:neutron-openvswi-sf28b18dc-c - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
-A neutron-openvswi-if28b18dc-c -m state --state INVALID -j DROP
-A neutron-openvswi-if28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if28b18dc-c -p tcp -m tcp -j RETURN
-A neutron-openvswi-if28b18dc-c -p icmp -j RETURN
-A neutron-openvswi-if28b18dc-c -s 10.10.1.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if28b18dc-c -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sf28b18dc-c
-A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of28b18dc-c -m state --state INVALID -j DROP
-A neutron-openvswi-of28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of28b18dc-c -j RETURN
-A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sf28b18dc-c -s 10.10.1.4/32 -m mac --mac-source FA:16:3E:D4:47:F8 -j RETURN
-A neutron-openvswi-sf28b18dc-c -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-if28b18dc-c
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
root@ICN-KVM:~#
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1333365/+subscriptions
Follow ups
References
