yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1721895] [NEW] OVS firewall should drop iptables rules if it detects a bridge

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kevin Benton <1721895@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Oct 2017 23:35:38 -0000
Reply-to: Bug 1721895 <1721895@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When a user switches from the hybrid firewall to the OVS native firewall
the iptables rules will be left behind on the filtering bridge. Since
removing the bridge would require difficult coordination with Nova and
it would be disruptive to traffic, that is currently not a viable
approach.

To make the transition easier, the OVS firewall should at least detect
when one of its VM ports contains a filtering bridge and drop all of the
iptables rules on it so we don't have stale rules interfering with the
traffic.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1721895

Title:
  OVS firewall should drop iptables rules if it detects a bridge

Status in neutron:
  New

Bug description:
  When a user switches from the hybrid firewall to the OVS native
  firewall the iptables rules will be left behind on the filtering
  bridge. Since removing the bridge would require difficult coordination
  with Nova and it would be disruptive to traffic, that is currently not
  a viable approach.

  To make the transition easier, the OVS firewall should at least detect
  when one of its VM ports contains a filtering bridge and drop all of
  the iptables rules on it so we don't have stale rules interfering with
  the traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1721895/+subscriptions

Follow ups

[Bug 1721895] Re: OVS firewall should drop iptables rules if it detects a bridge
From: OpenStack Infra, 2017-10-12