← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62328

[Bug 1657260] Re: Established connection don't stops when rule is removed

  Thread PreviousDate PreviousThread Next 
The issue still exists and currently is failing fullstack tests.

I was able to reproduce the issue locally. After SG rule was removed, I
still see

tcp      6 431985 ESTABLISHED src=20.0.0.10 dst=20.0.0.9 sport=42308
dport=3355 src=20.0.0.9 dst=20.0.0.10 sport=3355 dport=42308 [ASSURED]
mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

in conntrack and increasing counters in iptables for following rule:

Chain neutron-linuxbri-i886980ff-0 (1 references)
 pkts bytes target     prot opt in     out     source               destination
   25  1460 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */

linuxbridge-agent logs say:

2017-03-15 11:50:06.179 11755 DEBUG neutron.agent.linux.ip_conntrack
[req-b776ebc8-72f4-4385-98d4efa38ecb63a9 - - - - -] No zone for device
tap886980ff-0c. Will not try to clear conntrack state. Zone map: {}
_get_conntrack_cmds
/opt/stack/neutron/neutron/agent/linux/ip_conntrack.py:83

** Changed in: neutron
       Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1657260

Title:
  Established connection don't stops when rule is removed

Status in neutron:
  Confirmed

Bug description:
  If iptables driver is used for Security groups (e.g. in Linuxbridge L2 agent) there is an issue with update rules. When You have rule which allows some kind of traffic (like ssh for example from some src IP address) and You have established, active connection which match this rule, connection will be still active even if rule will be removed/changed.
  It is because in iptables in chain for each SG as first there is rule to accept packets with "state RELATED,ESTABLISHED".
  I'm not sure if it is in fact bug or maybe it's just design decision to have better performance of iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1657260/+subscriptions

References

  Thread PreviousDate PreviousThread Next