yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1696093] Re: When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1696093@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Jun 2017 14:29:26 -0000
Reply-to: Bug 1696093 <1696093@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/471301
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=6a31bfbb3400fb818e7b2f15fa11337bafed80cd
Submitter: Jenkins
Branch:    master

commit 6a31bfbb3400fb818e7b2f15fa11337bafed80cd
Author: wujun <wujun@xxxxxxxxxxx>
Date:   Tue Jun 6 05:58:32 2017 -0400

    Modify an order between iptables and conntrack when update firewall
    
    When update a firewall, we should update the iptables firstly,
    and then remove the conntrack record, just like the function
    create_firewall() and create_firewall_group(). Otherwise, the
    contrack record could be reproduced. It will be occurred more
    easily in scenario of large flow, because removing conntrack
    and updating firewall will take some time, and in this interval
    the subsequent flow could be came to reproduced the same
    conntrack record.
    
    Change-Id: I7bd36964199c6ce7c146f3ef06a693e9c6fe5353
    Closes-bug: #1696093


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1696093

Title:
  When update a firewall, we should update the iptables firstly,  and
  then clear the conntrack record,  just like the function
  create_firewall(). Otherwise, the contrack record could be reproduced.

Status in neutron:
  Fix Released

Bug description:
  environment: devstack master

  When update a firewall, we should update the iptables firstly,  and
  then clear the conntrack record,  just like the function
  create_firewall(). Otherwise, the contrack record could be reproduced.

  We can trigger the firewall_update action by:
  1.#neutron firewall-update f1 --no-routers
  2.vm ping external ip address all the time
  3.#neutron firewall-update f1 --router demo-router

  We can found that vm still can ping external ip address successfully.

  
  notice:
  We should make sure that never stop ping and the interval of ping is small. If it is still not reproduced, we can modify the code to add a "sleep" before the function "_setup_firewall()".

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1696093/+subscriptions

References

[Bug 1696093] [NEW] When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced.
From: wujun, 2017-06-06