← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1511782] [NEW] securitygroup rule and member updates not applied correctly

 

Public bug reported:

Summary:
When using enhanced RPC, the security group rules and members are updated after the call to update port filter. This is with a firewall driver that has no need to use defer_apply based implementation.

Description:

In class SecurityGroupAgentRpc(..) refresh_firewall, if we use
enhanced_rpc, the rules and members are updated after the calls to
update_port_filter (...). This works fine for IP Tables based firewall
driver, since it has the need to override 'filter_defer_apply_on' and
'filter_defer_apply_off' methods to defer calling of iptables cmds.

Due to this, Firewall drivers that do not override
filter_defer_apply_on/off methods misses applying the new rules, since
rule updates happens post update_port_filter call into the driver.

Symptoms:
Rule update or a security group member update is not processed by the firewall driver instantly. 

Environment:
Openstack master with hyper-v security groups driver with enhanced_rpc set to True. 
This is applicable to any Firewall driver that chooses not to implement defer_apply* related methods.

** Affects: neutron
     Importance: Undecided
     Assignee: Sonu (sonu-sudhakaran)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Sonu (sonu-sudhakaran)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1511782

Title:
  securitygroup rule and member updates not applied correctly

Status in neutron:
  New

Bug description:
  Summary:
  When using enhanced RPC, the security group rules and members are updated after the call to update port filter. This is with a firewall driver that has no need to use defer_apply based implementation.

  Description:

  In class SecurityGroupAgentRpc(..) refresh_firewall, if we use
  enhanced_rpc, the rules and members are updated after the calls to
  update_port_filter (...). This works fine for IP Tables based firewall
  driver, since it has the need to override 'filter_defer_apply_on' and
  'filter_defer_apply_off' methods to defer calling of iptables cmds.

  Due to this, Firewall drivers that do not override
  filter_defer_apply_on/off methods misses applying the new rules, since
  rule updates happens post update_port_filter call into the driver.

  Symptoms:
  Rule update or a security group member update is not processed by the firewall driver instantly. 

  Environment:
  Openstack master with hyper-v security groups driver with enhanced_rpc set to True. 
  This is applicable to any Firewall driver that chooses not to implement defer_apply* related methods.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1511782/+subscriptions


Follow ups