← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1915530] [NEW] Openvswitch firewall - removing and adding security group breaks connectivity

 

Public bug reported:

How to reproduce the issue:

1. use neutron-ovs-agent with openvswitch firewall driver,
2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
4. keep established connection and remove security group from port,
5. add security group again to the port
6. Your connection will not be "restored" becuase in the conntrack table there are entries like:

tcp      6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660
dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED]
mark=1 zone=4 use=1

Connection will be restored when that entry will be deleted.

** Affects: neutron
     Importance: Low
     Assignee: Slawek Kaplonski (slaweq)
         Status: New


** Tags: ovs-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1915530

Title:
  Openvswitch firewall - removing and adding security group breaks
  connectivity

Status in neutron:
  New

Bug description:
  How to reproduce the issue:

  1. use neutron-ovs-agent with openvswitch firewall driver,
  2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
  3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
  4. keep established connection and remove security group from port,
  5. add security group again to the port
  6. Your connection will not be "restored" becuase in the conntrack table there are entries like:

  tcp      6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660
  dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED]
  mark=1 zone=4 use=1

  Connection will be restored when that entry will be deleted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1915530/+subscriptions


Follow ups