yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1556013] Re: Dropping a rule from security group rules don't drop the connection in the IptablesFirewallDriver (they do for Hybrid)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1556013@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Feb 2017 04:22:02 -0000
Reply-to: Bug 1556013 <1556013@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1556013

Title:
  Dropping a rule from security group rules don't drop the connection in
  the IptablesFirewallDriver (they do for Hybrid)

Status in neutron:
  Expired

Bug description:
  This happens because connection tracking zones don't work in the
  IptablesFirewallDriver (they do for Hybrid).

  
  The subclass for the hybrid driver is the one introducing the zone
  rules [1]

  I remember it was discussed during this review [2], but I cannot see if
  there was any technical detail why we could not do the same thing on
  the plain IptablesFirewallDriver itself.

  [1]
  https://github.com/openstack/neutron/blob/01a5d9a3c088e54ae78c068408d419ccc53f8ca8/neutron/agent/linux/iptables_firewall.py#L905

  [2] https://review.openstack.org/#/c/118274/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1556013/+subscriptions

References

[Bug 1556013] [NEW] Dropping a rule from security group rules don't drop the connection in the IptablesFirewallDriver (they do for Hybrid)
From: Miguel Angel Ajo, 2016-03-11