yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1736674] Re: sg rules are sometimes not applied

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1736674@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Jan 2018 19:20:09 -0000
Reply-to: Bug 1736674 <1736674@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/527965
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cbee0f9f88ff34f70ff19590471b5405e06ff2a9
Submitter: Zuul
Branch:    master

commit cbee0f9f88ff34f70ff19590471b5405e06ff2a9
Author: Sławek Kapłoński <slawek@xxxxxxxxxxxx>
Date:   Thu Dec 14 14:51:01 2017 +0100

    Use same instance of iptables_manager in L2 agent and extensions
    
    This commit adds common_agent_extension class which is agent API
    for L2 extension drivers used e.g. by Linuxbridge agent.
    This is necessary to be able to use instance of iptables_manager
    used in firewall driver also in L2 extension drivers (like qos).
    
    This patch refactors little bit iptables_manager code to make possible
    to initialize e.g. mangle or nat table on demand, even if iptables
    is created as "state_less"
    
    Change-Id: I3b66e49b7f176124e8aea3eb96d0d465f1ab1ea0
    Closes-Bug: #1736674


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1736674

Title:
  sg rules are sometimes not applied

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  New

Bug description:
  Failure of negative test in gate:

  http://logs.openstack.org/19/523319/5/check/neutron-tempest-plugin-
  scenario-linuxbridge/47b85c6/job-
  output.txt.gz#_2017-12-01_23_09_02_843619

  Reproducing locally with a debug patch, I see that iptables_manager
  first applies the correct rules and then removes them again
  immediately after that, see http://paste.openstack.org/show/628245/

  Steps to reproduce (taken from
  neutron_tempest_plugin.scenario.test_security_groups.NetworkDefaultSecGroupTest.test_ip_prefix_negative,
  possibly not minimal):

  - create two security groups
  - add ssh access to first, icmp access to second one
  - create an instance with these two security groups applied
  - run iptables-save and discover no rules applied to the instance

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1736674/+subscriptions