← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #54838

[Bug 1570171] Re: ip_conntrack only delete one direction entry

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/318679
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4acccc7e9ce6849e6fb30d42edbf858fd4235954
Submitter: Jenkins
Branch:    master

commit 4acccc7e9ce6849e6fb30d42edbf858fd4235954
Author: yujie <yujie@xxxxxxxxxxxxxxxxxxxx>
Date:   Fri Aug 5 10:41:08 2016 +0800

    Delete conntrack entry with remote_ip on the other direction
    
    Patch [1] is incomplete for deleting conntrack entries with
    remote_ip set. This patch fixes the defect.
    [1]: I44d6bd0c2465294b557fd01566b72e016d34bba3
    
    Change-Id: I31c579dbe28e4e8e824912b695eaba9475cf0095
    Closes-Bug: #1570171


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570171

Title:
  ip_conntrack only delete one direction entry

Status in neutron:
  Fix Released

Bug description:
  The test was used neutron master.
  I use devstack create one net and two vm on this net, vm1 fixed-ip is: 10.0.0.3, vm2 fixed-ip is: 10.0.0.4.
  Both vm bind sg1:
     rule1: ingress, any protocol, any remote ip prefix
     rule2: egress, any protocol, any remote ip prefix

  1. vm1 ping vm2 and vm2 ping vm1, the conntrack will be:
  $ sudo conntrack -L -p icmp
  icmp     1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
  icmp     1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
  icmp     1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=3 use=1
  icmp     1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
  conntrack v1.4.1 (conntrack-tools): 4 flow entries have been shown.

  2. vm2 unbind sg1, the conntrack turn to:
  $ sudo conntrack -L -p icmp
  icmp     1 29 src=10.0.0.3 dst=10.0.0.4 type=8 code=0 id=21761 src=10.0.0.4 dst=10.0.0.3 type=0 code=0 id=21761 mark=0 zone=4 use=1
  icmp     1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=4 use=1
  icmp     1 29 src=10.0.0.4 dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0 code=0 id=22017 mark=0 zone=3 use=1
  conntrack v1.4.1 (conntrack-tools): 3 flow entries have been shown.

  Now vm1 could not connect vm2, which is right; but vm2 could still
  ping vm1 successfully.  The entry "icmp     1 29 src=10.0.0.4
  dst=10.0.0.3 type=8 code=0 id=22017 src=10.0.0.3 dst=10.0.0.4 type=0
  code=0 id=22017 mark=0 zone=3 use=1" was not delete as expect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570171/+subscriptions

References

  Thread PreviousDate PreviousThread Next