yahoo-eng-team team mailing list archive

[OpenStack Infra <1474279@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/300960
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=fadfe86516de7982c86de4dd1a0d275d0a6c84f7
Submitter: Jenkins
Branch:    master

commit fadfe86516de7982c86de4dd1a0d275d0a6c84f7
Author: Ha Van Tu <tuhv@xxxxxxxxxxxxxx>
Date:   Mon Apr 4 14:03:12 2016 +0700

    Fix "Not applying Firewall rules immediately" problem
    
    This patch removes the conntrack entries of the established
    connection when the firewall updates its rules.
    
    Change-Id: I8d149d3cb0c8cbca2211446b082fcfcda93e2b19
    Closes-Bug: #1474279


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1474279

Title:
  FWaaS let connection opened if delete allow rule, beacuse of conntrack

Status in neutron:
  Fix Released

Bug description:
  Hi,

  I've faced a problem with FWaaS plugin in Neutron (Juno).
  The firewall works, but when I delete a rule from the policy, the
  connection will still works because of conntrack... (I tried with ping,
  and ssh)
  It's okay, if the connection will kept alive, if it's really alive, (an
  active SSH for example) but if I delete the ICMP rule, and stop pinging,
  and restart pinging, the ping will still works...

  If I go to my neutron server, and do a conntrack -F command on my
  relevant qrouter, the firewall starts working based on the valid rules...

  Are there any way, to configure the conntrack cleanup when FWaaS
  configuration modified by user?

  If not, can somebody help me, where to make changes on code, to run that
  command in the proper namespace after the iptables rule-generation?

  
  Regards,
   Peter

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1474279/+subscriptions