Public bug reported:
Summary:
When using enhanced RPC, the security group rules and members are updated after
the call to update port filter. This is with a firewall driver that has no need
to use defer_apply based implementation.
Description:
In class SecurityGroupAgentRpc(..) refresh_firewall, if we use
enhanced_rpc, the rules and members are updated after the calls to
update_port_filter (...). This works fine for IP Tables based firewall
driver, since it has the need to override 'filter_defer_apply_on' and
'filter_defer_apply_off' methods to defer calling of iptables cmds.
Due to this, Firewall drivers that do not override
filter_defer_apply_on/off methods misses applying the new rules, since
rule updates happens post update_port_filter call into the driver.
Symptoms:
Rule update or a security group member update is not processed by the firewall
driver instantly.
Environment:
Openstack master with hyper-v security groups driver with enhanced_rpc set to
True.
This is applicable to any Firewall driver that chooses not to implement
defer_apply* related methods.
** Affects: neutron
Importance: Undecided
Assignee: Sonu (sonu-sudhakaran)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Sonu (sonu-sudhakaran)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1511782
Title:
securitygroup rule and member updates not applied correctly
Status in neutron:
New
Bug description:
Summary:
When using enhanced RPC, the security group rules and members are updated
after the call to update port filter. This is with a firewall driver that has
no need to use defer_apply based implementation.
Description:
In class SecurityGroupAgentRpc(..) refresh_firewall, if we use
enhanced_rpc, the rules and members are updated after the calls to
update_port_filter (...). This works fine for IP Tables based firewall
driver, since it has the need to override 'filter_defer_apply_on' and
'filter_defer_apply_off' methods to defer calling of iptables cmds.
Due to this, Firewall drivers that do not override
filter_defer_apply_on/off methods misses applying the new rules, since
rule updates happens post update_port_filter call into the driver.
Symptoms:
Rule update or a security group member update is not processed by the
firewall driver instantly.
Environment:
Openstack master with hyper-v security groups driver with enhanced_rpc set to
True.
This is applicable to any Firewall driver that chooses not to implement
defer_apply* related methods.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1511782/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
