yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1559920] [NEW] Flows per in_port are deleted after SG rules are applied

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <rodolfo.alonso.hernandez@xxxxxxxxx>
Date: Mon, 21 Mar 2016 08:18:47 -0000
Reply-to: Bug 1559920 <1559920@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

During the creation of a new port in the integration bridge (br-int),
first the firewall rules are applied and then all flows matching this
input port are deleted:

if cur_tag != lvm.vlan:
                self.int_br.delete_flows(in_port=port.ofport)

This happens only when the port is created (or the vlan tag changes). If
any firewall rule is applied using the in_port as a condition, during
the initialization of the firewall for this port, this rule is deleted.

Instead of that, this security action should be moved to the previous
function, "_add_port_tag_info", in order to avoid any firewall rule
deletion and maintaining the same security level during the port
creation; that means the ports doesn't allow any kind of traffic until
the firewall rules are applied.

** Affects: neutron
     Importance: Undecided
     Assignee: Rodolfo Alonso (rodolfo-alonso-hernandez)
         Status: New


** Tags: firewall groups ovs security

** Tags added: firewall groups ovs security

** Changed in: neutron
     Assignee: (unassigned) => Rodolfo Alonso (rodolfo-alonso-hernandez)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1559920

Title:
  Flows per in_port are deleted after SG rules are applied

Status in neutron:
  New

Bug description:
  During the creation of a new port in the integration bridge (br-int),
  first the firewall rules are applied and then all flows matching this
  input port are deleted:

  if cur_tag != lvm.vlan:
                  self.int_br.delete_flows(in_port=port.ofport)

  This happens only when the port is created (or the vlan tag changes).
  If any firewall rule is applied using the in_port as a condition,
  during the initialization of the firewall for this port, this rule is
  deleted.

  Instead of that, this security action should be moved to the previous
  function, "_add_port_tag_info", in order to avoid any firewall rule
  deletion and maintaining the same security level during the port
  creation; that means the ports doesn't allow any kind of traffic until
  the firewall rules are applied.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1559920/+subscriptions

Follow ups

[Bug 1559920] Re: Flows per in_port are deleted after SG rules are applied
From: OpenStack Infra, 2017-04-18