← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47874

[Bug 1556013] [NEW] Dropping a rule from security group rules don't drop the connection in the IptablesFirewallDriver (they do for Hybrid)

  Thread PreviousDate PreviousThread Next 
Public bug reported:

This happens because connection tracking zones don't work in the
IptablesFirewallDriver (they do for Hybrid).


The subclass for the hybrid driver is the one introducing the zone
rules [1]

I remember it was discussed during this review [2], but I cannot see if
there was any technical detail why we could not do the same thing on
the plain IptablesFirewallDriver itself.

[1]
https://github.com/openstack/neutron/blob/01a5d9a3c088e54ae78c068408d419ccc53f8ca8/neutron/agent/linux/iptables_firewall.py#L905

[2] https://review.openstack.org/#/c/118274/

** Affects: neutron
     Importance: Medium
         Status: New


** Tags: linuxbridge sg-fw

** Changed in: neutron
   Importance: Undecided => Medium

** Tags added: linuxbridge sg-fw

** Summary changed:

- Connection tracking zones don't work in the IptablesFirewallDriver (they do for Hybrid)
+ Dropping a rule from security group rules don't drop the connection in the IptablesFirewallDriver (they do for Hybrid)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1556013

Title:
  Dropping a rule from security group rules don't drop the connection in
  the IptablesFirewallDriver (they do for Hybrid)

Status in neutron:
  New

Bug description:
  This happens because connection tracking zones don't work in the
  IptablesFirewallDriver (they do for Hybrid).

  
  The subclass for the hybrid driver is the one introducing the zone
  rules [1]

  I remember it was discussed during this review [2], but I cannot see if
  there was any technical detail why we could not do the same thing on
  the plain IptablesFirewallDriver itself.

  [1]
  https://github.com/openstack/neutron/blob/01a5d9a3c088e54ae78c068408d419ccc53f8ca8/neutron/agent/linux/iptables_firewall.py#L905

  [2] https://review.openstack.org/#/c/118274/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1556013/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next