yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1915530] Re: Openvswitch firewall - removing and adding security group breaks connectivity

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bernard Cafarelli <1915530@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Mar 2021 12:29:13 -0000
Reply-to: Bug 1915530 <1915530@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Patch merged in master

** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1915530

Title:
  Openvswitch firewall - removing and adding security group breaks
  connectivity

Status in neutron:
  Fix Released

Bug description:
  How to reproduce the issue:

  1. use neutron-ovs-agent with openvswitch firewall driver,
  2. spawn vm with SG which has some rule to allow some kind of traffic (can be e.g. ssh to the instance)
  3. establish connection according to the rule(s) in SG (e.g. connect through ssh to the instance)
  4. keep established connection and remove security group from port,
  5. add security group again to the port
  6. Your connection will not be "restored" becuase in the conntrack table there are entries like:

  tcp      6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660
  dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED]
  mark=1 zone=4 use=1

  Connection will be restored when that entry will be deleted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1915530/+subscriptions

References

[Bug 1915530] [NEW] Openvswitch firewall - removing and adding security group breaks connectivity
From: Slawek Kaplonski, 2021-02-12