yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1369431] [NEW] Don't create ipset chain if corresponding security group has no member

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: shihanzhang <shihanzhang@xxxxxxxxxx>
Date: Mon, 15 Sep 2014 07:49:58 -0000
Reply-to: Bug 1369431 <1369431@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

when a security group has bellow rule, it should not create ipset chain:
security group id is: fake_sgid, it has rule bellow:
{'direction': 'ingress', 'remote_group_id': 'fake_sgid2'}
but the security group:fake_sgid2 has no member, so when the port in security group:fake_sgid should not create corresponding ipset chain

root@devstack:/opt/stack/neutron# ipset list
Name: IPv409040f9f-cb86-4f72-a
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16520
References: 1
Members:
20.20.20.11

Name: IPv609040f9f-cb86-4f72-a
Type: hash:ip
Revision: 2
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 16504
References: 1
Members:

because the security group:09040f9f-cb86-4f72-af74-4de4f2b86442 has no
ipv6 member, so it should't create ipset chain:IPv609040f9f-cb86-4f72-a

** Affects: neutron
     Importance: Undecided
     Assignee: shihanzhang (shihanzhang)
         Status: In Progress

** Changed in: neutron
     Assignee: (unassigned) => shihanzhang (shihanzhang)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1369431

Title:
  Don't create ipset chain if corresponding security group has  no
  member

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  when a security group has bellow rule, it should not create ipset chain:
  security group id is: fake_sgid, it has rule bellow:
  {'direction': 'ingress', 'remote_group_id': 'fake_sgid2'}
  but the security group:fake_sgid2 has no member, so when the port in security group:fake_sgid should not create corresponding ipset chain

  root@devstack:/opt/stack/neutron# ipset list
  Name: IPv409040f9f-cb86-4f72-a
  Type: hash:ip
  Revision: 2
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16520
  References: 1
  Members:
  20.20.20.11

  Name: IPv609040f9f-cb86-4f72-a
  Type: hash:ip
  Revision: 2
  Header: family inet6 hashsize 1024 maxelem 65536
  Size in memory: 16504
  References: 1
  Members:

  because the security group:09040f9f-cb86-4f72-af74-4de4f2b86442 has no
  ipv6 member, so it should't create ipset chain:IPv609040f9f-
  cb86-4f72-a

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1369431/+subscriptions

Follow ups

[Bug 1369431] Re: Don't create ipset chain if corresponding security group has no member
From: Thierry Carrez, 2014-10-03
[Bug 1369431] [NEW] Don't create ipset chain if corresponding security group has no member
From: shihanzhang, 2014-09-15

References

[Bug 1369431] [NEW] Don't create ipset chain if corresponding security group has no member
From: shihanzhang, 2014-09-15