yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #49424
[Bug 1570171] [NEW] ip_conntrack only delete one direction entry
Public bug reported:
The test was used neutron master.
I use devstack create one net and two vm on this net, vm1 fixed-ip is: 10.0.0.3, vm2 fixed-ip is: 10.0.0.4.
Both vm bind sg1:
rule1: ingress, any protocol, any remote ip prefix
rule2: egress, any protocol, any remote ip prefix
1. vm1 ping vm2 and vm2 ping vm1, the conntrack will be:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 4 flow entries have been shown.
2. vm2 unbind sg1, the conntrack turn to:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 3 flow entries have been shown.
Now vm1 could not connect vm2, which is right; but vm2 could still ping
vm1 successfully. The entry "icmp 1 29 src=10.0.0.4 dst=10.0.0.3
type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017
mark=0 zone=3 use=1" was not delete as expect.
** Affects: neutron
Importance: Undecided
Assignee: yujie (16189455-d)
Status: New
** Changed in: neutron
Assignee: (unassigned) => yujie (16189455-d)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570171
Title:
ip_conntrack only delete one direction entry
Status in neutron:
New
Bug description:
The test was used neutron master.
I use devstack create one net and two vm on this net, vm1 fixed-ip is: 10.0.0.3, vm2 fixed-ip is: 10.0.0.4.
Both vm bind sg1:
rule1: ingress, any protocol, any remote ip prefix
rule2: egress, any protocol, any remote ip prefix
1. vm1 ping vm2 and vm2 ping vm1, the conntrack will be:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 4 flow entries have been shown.
2. vm2 unbind sg1, the conntrack turn to:
$ sudo conntrack -L -p icmp
icmp 1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
icmp 1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
conntrack v1.4.1 (conntrack-tools): 3 flow entries have been shown.
Now vm1 could not connect vm2, which is right; but vm2 could still
ping vm1 successfully. The entry "icmp 1 29 src=10.0.0.4
dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0
code=0 id=22017 mark=0 zone=3 use=1" was not delete as expect.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570171/+subscriptions
Follow ups
