Public bug reported: Summary: When using enhanced RPC, the security group rules and members are updated after the call to update port filter. This is with a firewall driver that has no need to use defer_apply based implementation.
Description: In class SecurityGroupAgentRpc(..) refresh_firewall, if we use enhanced_rpc, the rules and members are updated after the calls to update_port_filter (...). This works fine for IP Tables based firewall driver, since it has the need to override 'filter_defer_apply_on' and 'filter_defer_apply_off' methods to defer calling of iptables cmds. Due to this, Firewall drivers that do not override filter_defer_apply_on/off methods misses applying the new rules, since rule updates happens post update_port_filter call into the driver. Symptoms: Rule update or a security group member update is not processed by the firewall driver instantly. Environment: Openstack master with hyper-v security groups driver with enhanced_rpc set to True. This is applicable to any Firewall driver that chooses not to implement defer_apply* related methods. ** Affects: neutron Importance: Undecided Assignee: Sonu (sonu-sudhakaran) Status: New ** Changed in: neutron Assignee: (unassigned) => Sonu (sonu-sudhakaran) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1511782 Title: securitygroup rule and member updates not applied correctly Status in neutron: New Bug description: Summary: When using enhanced RPC, the security group rules and members are updated after the call to update port filter. This is with a firewall driver that has no need to use defer_apply based implementation. Description: In class SecurityGroupAgentRpc(..) refresh_firewall, if we use enhanced_rpc, the rules and members are updated after the calls to update_port_filter (...). This works fine for IP Tables based firewall driver, since it has the need to override 'filter_defer_apply_on' and 'filter_defer_apply_off' methods to defer calling of iptables cmds. Due to this, Firewall drivers that do not override filter_defer_apply_on/off methods misses applying the new rules, since rule updates happens post update_port_filter call into the driver. Symptoms: Rule update or a security group member update is not processed by the firewall driver instantly. Environment: Openstack master with hyper-v security groups driver with enhanced_rpc set to True. This is applicable to any Firewall driver that chooses not to implement defer_apply* related methods. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1511782/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp