yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1657260] Re: Established connection don't stops when rule is removed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1657260@xxxxxxxxxxxxxxxxxx>
Date: Tue, 31 Jan 2017 21:13:21 -0000
Reply-to: Bug 1657260 <1657260@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/426429
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=10bfa690885f06316ccec1fee39e51ca64058443
Submitter: Jenkins
Branch:    master

commit 10bfa690885f06316ccec1fee39e51ca64058443
Author: Sławek Kapłoński <slawek@xxxxxxxxxxxx>
Date:   Fri Jan 27 23:19:25 2017 +0000

    Clear conntrack entries without zones if CT zones are not used
    
    CT zones are used only in OVSHybridIptablesFirewallDriver.
    Such zones are not set in IptablesFirewallDriver class but
    even if iptables driver was is not using CT zones, it was
    used by conntrack manager class during delete of conntrack
    entry.
    This cause issue that for Linuxbridge agent established and
    active connection stayed active even after security group
    rule was deleted.
    This patch changes conntrack manager class that it will not
    use CT zone (-w option) if zone for port was not assigned
    earlier.
    
    Change-Id: Ib9c8d0a09d0858ff6f36db406c6b2a9191f304d1
    Closes-bug: 1657260


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1657260

Title:
  Established connection don't stops when rule is removed

Status in neutron:
  Fix Released

Bug description:
  If iptables driver is used for Security groups (e.g. in Linuxbridge L2 agent) there is an issue with update rules. When You have rule which allows some kind of traffic (like ssh for example from some src IP address) and You have established, active connection which match this rule, connection will be still active even if rule will be removed/changed.
  It is because in iptables in chain for each SG as first there is rule to accept packets with "state RELATED,ESTABLISHED".
  I'm not sure if it is in fact bug or maybe it's just design decision to have better performance of iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1657260/+subscriptions

References

[Bug 1657260] [NEW] Established connection don't stops when rule is removed
From: Slawek Kaplonski, 2017-01-17