← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1359523] [NEW] Conntrack causes security group rule fails

 

Public bug reported:

The following steps happen in the same host machine.

1. tenant1 create vm1 with network net1 and ip 199.168.1.2
2. tenant1 create vm2 with network net1 and ip 199.168.1.4
3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
4. tenant2 create vm3 with network net2 and ip 199.168.1.2
5. tenant2 create vm4 with network net2 and ip 199.168.1.4
6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
7. create tcp connetion between vm1 and vm2, success
8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

This problem is caused since these two connections share the same
5-tuple, so conntrack let the packets between vm3 and vm4 pass.

** Affects: neutron
     Importance: Undecided
     Assignee: Zhiyuan Cai (luckyvega-g)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Zhiyuan Cai (luckyvega-g)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1359523

Title:
  Conntrack causes security group rule fails

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  The following steps happen in the same host machine.

  1. tenant1 create vm1 with network net1 and ip 199.168.1.2
  2. tenant1 create vm2 with network net1 and ip 199.168.1.4
  3. configure security group of vm1 and vm2 so they can communicate with tcp connetion
  4. tenant2 create vm3 with network net2 and ip 199.168.1.2
  5. tenant2 create vm4 with network net2 and ip 199.168.1.4
  6. configure security group of vm3 and vm4 so they can't communicate with tcp connetion
  7. create tcp connetion between vm1 and vm2, success
  8. create tcp connetion betwwen vm3 and vm4 when vm1 and vm2 are still connecting, success, which failure is expected

  This problem is caused since these two connections share the same
  5-tuple, so conntrack let the packets between vm3 and vm4 pass.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1359523/+subscriptions


Follow ups

References