← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #25000

[Bug 1398312] [NEW] iptables for secgroup not be set properly when set --no-security-group

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In the lastest code, iptables for secgroup not be set properly when set
--no-security-group.

steps:

1. edit the 'default' secgroup, and add one rule for icmp.

neutron security-group-rule-create --direction ingress --protocol icmp --port_range_min 0 --port_range_max 255 4db9f9f6-641a-4482-af04-c64628d42b6
a

there will be one rule added for the ingress port iptale.

Chain neutron-openvswi-i5edf1431-d (1 references)
 pkts bytes target     prot opt in     out     source               destination
...
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
...

2.  remove the sec group of the port.

neutron port-update 5edf1431-dd9e-4a1c-995b-c6155152483f  --no-security-
group

expect the rule will be deleted which is created in step1, but not.

3.  after reboot the ovs-agent, all the chain and rules about the port
5edf1431-dd9e-4a1c-995b-c6155152483f will be removed,  for example,
rules in  neutron-openvswi-sg-chain, and including the auti-spoof chain,

I think it is because security_group_info_for_devices will return
nothing if the sec-group is empty, instead of returning a dict with
empty [sec-group-rules].

I am not sure if it's a bug, experts could help here.

** Affects: neutron
     Importance: Undecided
     Assignee: yalei wang (yalei-wang)
         Status: New

** Description changed:

  In the lastest code, iptables for secgroup not be set properly when set
  --no-security-group.
  
  steps:
  
  1. edit the 'default' secgroup, and add one rule for icmp.
  
  neutron security-group-rule-create --direction ingress --protocol icmp --port_range_min 0 --port_range_max 255 4db9f9f6-641a-4482-af04-c64628d42b6
  a
  
- 
  there will be one rules added for the ingress port iptale.
  
  Chain neutron-openvswi-i5edf1431-d (1 references)
-  pkts bytes target     prot opt in     out     source               destination         
+  pkts bytes target     prot opt in     out     source               destination
  ...
-     0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
+     0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  ...
  
  2.  remove the sec group of the port.
  
  neutron port-update 5edf1431-dd9e-4a1c-995b-c6155152483f  --no-security-
  group
  
  expect the rule will be deleted which is created in step1, but not.
  
- 
  3.  after reboot the ovs-agent, all the chain and rules about the port
  5edf1431-dd9e-4a1c-995b-c6155152483f will be removed,  for example,
  rules in  neutron-openvswi-sg-chain, and including the auti-spoof chain,
  
- 
- I think it is because security_group_info_for_devices will return nothing if the sec-group is empty, instead of returning a dict[sec-group-rules] is empty.
- 
+ I think it is because security_group_info_for_devices will return
+ nothing if the sec-group is empty, instead of returning a dict with
+ empty [sec-group-rules].
  
  I am not sure if it's a bug, experts could help here.

** Changed in: neutron
     Assignee: (unassigned) => yalei wang (yalei-wang)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1398312

Title:
  iptables for secgroup not be set properly when set --no-security-group

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  In the lastest code, iptables for secgroup not be set properly when
  set --no-security-group.

  steps:

  1. edit the 'default' secgroup, and add one rule for icmp.

  neutron security-group-rule-create --direction ingress --protocol icmp --port_range_min 0 --port_range_max 255 4db9f9f6-641a-4482-af04-c64628d42b6
  a

  there will be one rule added for the ingress port iptale.

  Chain neutron-openvswi-i5edf1431-d (1 references)
   pkts bytes target     prot opt in     out     source               destination
  ...
      0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  ...

  2.  remove the sec group of the port.

  neutron port-update 5edf1431-dd9e-4a1c-995b-c6155152483f  --no-
  security-group

  expect the rule will be deleted which is created in step1, but not.

  3.  after reboot the ovs-agent, all the chain and rules about the port
  5edf1431-dd9e-4a1c-995b-c6155152483f will be removed,  for example,
  rules in  neutron-openvswi-sg-chain, and including the auti-spoof
  chain,

  I think it is because security_group_info_for_devices will return
  nothing if the sec-group is empty, instead of returning a dict with
  empty [sec-group-rules].

  I am not sure if it's a bug, experts could help here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1398312/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next