← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #80818

[Bug 1854131] [NEW] Old conjunction left after sg update

  Thread PreviousDate PreviousThread Next 
Public bug reported:

1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)

2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
 cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
 cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)

3.Update VM's sg to test-security2, then the open flows showed:
 cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
 cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)

You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by the old sg VMs.

** Affects: neutron
     Importance: Undecided
         Status: New

** Description changed:

  1.Create 2 security groups:
  test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
  test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)
  
  2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
-  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
-  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)
+  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
+  cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)
  
- 3.Update VM's sg to test-security2, then the open flows showed: 
-  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
-  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)
+ 3.Update VM's sg to test-security2, then the open flows showed:
+  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
+  cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)
  
- You can see the old conjunction for test-security1 still exists: conjunction(15,1/2)
+ You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2)
  This will cause security problem for VM, because it still can be reached by the old sg VMs.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1854131

Title:
  Old conjunction left after sg update

Status in neutron:
  New

Bug description:
  1.Create 2 security groups:
  test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
  test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)

  2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
   cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
   cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)

  3.Update VM's sg to test-security2, then the open flows showed:
   cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
   cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)

  You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2)
  This will cause security problem for VM, because it still can be reached by the old sg VMs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1854131/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next