Public bug reported: If iptables driver is used for Security groups (e.g. in Linuxbridge L2 agent) there is an issue with update rules. When You have rule which allows some kind of traffic (like ssh for example from some src IP address) and You have established, active connection which match this rule, connection will be still active even if rule will be removed/changed. It is because in iptables in chain for each SG as first there is rule to accept packets with "state RELATED,ESTABLISHED". I'm not sure if it is in fact bug or maybe it's just design decision to have better performance of iptables.
** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1657260 Title: Established connection don't stops when rule is removed Status in neutron: New Bug description: If iptables driver is used for Security groups (e.g. in Linuxbridge L2 agent) there is an issue with update rules. When You have rule which allows some kind of traffic (like ssh for example from some src IP address) and You have established, active connection which match this rule, connection will be still active even if rule will be removed/changed. It is because in iptables in chain for each SG as first there is rule to accept packets with "state RELATED,ESTABLISHED". I'm not sure if it is in fact bug or maybe it's just design decision to have better performance of iptables. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1657260/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp