← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1333365] Re: Deleting a VM port does not remove Security rules in ip tables

 

** Also affects: neutron/kilo
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1333365

Title:
  Deleting a VM port does not remove Security rules in ip tables

Status in neutron:
  Fix Released
Status in neutron kilo series:
  New

Bug description:
  Deleting a VM port does not remove security rules associated to VM
  port in ip tables.

  
  Setup : 

  ICEHOUSE GA with KVM Compute node,network node, controller

  1. Spawn a VM with security group attached.
  2. Delete a VM port 
  3. Verify the ip tables


  VM IP  :  10.10.1.4
  Rules attached : TCP and icmp rule

  
  root@ICN-KVM:~# ovs-vsctl show
  f3b34ea5-9799-460d-99bb-26359fd26e38
      Bridge "br-eth1"
          Port "br-eth1"
              Interface "br-eth1"
                  type: internal
          Port "phy-br-eth1"
              Interface "phy-br-eth1"
          Port "eth1"
              Interface "eth1"
      Bridge br-int
          Port br-int
              Interface br-int
                  type: internal
          Port "qvof28b18dc-c3"    <<<<<<<<<<<<<<<<<<<   VM tap port 
              tag: 1
              Interface "qvof28b18dc-c3"
          Port "int-br-eth1"
              Interface "int-br-eth1"
      ovs_version: "2.0.1"
  root@ICN-KVM:~#

  
  After Deleting a port security rules are still present in iptables.
  ---------------------------------------------------------------------

  oot@ICN-KVM:~# iptables-save | grep 28b18dc
  :neutron-openvswi-if28b18dc-c - [0:0]
  :neutron-openvswi-of28b18dc-c - [0:0]
  :neutron-openvswi-sf28b18dc-c - [0:0]
  -A neutron-openvswi-FORWARD -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
  -A neutron-openvswi-FORWARD -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain
  -A neutron-openvswi-INPUT -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
  -A neutron-openvswi-if28b18dc-c -m state --state INVALID -j DROP
  -A neutron-openvswi-if28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
  -A neutron-openvswi-if28b18dc-c -p tcp -m tcp -j RETURN
  -A neutron-openvswi-if28b18dc-c -p icmp -j RETURN
  -A neutron-openvswi-if28b18dc-c -s 10.10.1.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
  -A neutron-openvswi-if28b18dc-c -j neutron-openvswi-sg-fallback
  -A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 68 --dport 67 -j RETURN
  -A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sf28b18dc-c
  -A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 67 --dport 68 -j DROP
  -A neutron-openvswi-of28b18dc-c -m state --state INVALID -j DROP
  -A neutron-openvswi-of28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN
  -A neutron-openvswi-of28b18dc-c -j RETURN
  -A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sg-fallback
  -A neutron-openvswi-sf28b18dc-c -s 10.10.1.4/32 -m mac --mac-source FA:16:3E:D4:47:F8 -j RETURN
  -A neutron-openvswi-sf28b18dc-c -j DROP
  -A neutron-openvswi-sg-chain -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-if28b18dc-c
  -A neutron-openvswi-sg-chain -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c
  root@ICN-KVM:~#

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1333365/+subscriptions


References