yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1715789] Re: ovsfw rejects old connections after re-add former rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <1715789@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Nov 2022 09:21:15 -0000
Reply-to: Bug 1715789 <1715789@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Bug closed due to lack of activity, please feel free to reopen if
needed.

** Changed in: neutron
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1715789

Title:
  ovsfw rejects old connections after re-add former rules

Status in neutron:
  Won't Fix

Bug description:
  Reproduction procedure:
  1.An all-in-one devstack enviroment, use latest master branch and openvswitch driver:
  [securitygroup]
  firewall_driver = openvswitch

  2. launch two VMs with security_group SG1, which have two rules:
  rule1: egress, IPv4
  rule2: ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0

  3.SSH to VM2 from VM1
  4.Delete rule2, check that SSH connection is blocked
  5.re-add rule1 to SG1, check that SSH connection is still blocked.
  The reason is that the conntrack entry is not aged and marked to 1:
  root@devstack:~# conntrack -L --zone=1
  tcp      6 298 ESTABLISHED src=10.0.0.3 dst=10.0.0.8 sport=38844 dport=22 src=10.0.0.8 dst=10.0.0.3 sport=22 dport=38844 [ASSURED] mark=1 zone=1 use=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1715789/+subscriptions

References

[Bug 1715789] [NEW] ovsfw rejects old connections after re-add former rules
From: He Qing, 2017-09-08