yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => kilo-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1398312

Title:
  iptables for secgroup not be set properly when set --no-security-group

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  In the lastest code, iptables for secgroup not be set properly when
  set --no-security-group.

  steps:

  1. edit the 'default' secgroup, and add one rule for icmp.

  #neutron security-group-rule-create --direction ingress --protocol icmp --port_range_min 0 --port_range_max 255 4db9f9f6-641a-4482-af04-c64628d42b6
  a

  there will be one rule added for the ingress port iptale.

  Chain neutron-openvswi-i5edf1431-d (1 references)
   pkts bytes target     prot opt in     out     source               destination
  ...
      0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  ...

  2.  remove the sec group of the port.

  #neutron port-update 5edf1431-dd9e-4a1c-995b-c6155152483f  --no-
  security-group

  I expect the rule created in step1 will be deleted which is created in
  step1, but not.

  3.  after reboot the ovs-agent, all the chain and rules about the port
  5edf1431-dd9e-4a1c-995b-c6155152483f will be removed,  for example,
  rules in  neutron-openvswi-sg-chain, and including the auti-spoof
  chain,

  I think it is because security_group_info_for_devices will return
  nothing if the sec-group is empty, instead of returning a dict with
  empty [sec-group-rules].

  I am not sure if it's a bug, experts could help here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1398312/+subscriptions