Public bug reported:
1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security2)
2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0,
idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2)
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0,
idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2)
3.Update VM's sg to test-security2, then the open flows showed:
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0,
idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2),conjunction(22,1/2)
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0,
idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2),conjunction(23,1/2)
You can see the old conjunction for test-security1 still exists:
conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by the
old sg VMs.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security2)
2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
- cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2)
- cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2)
+ cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2)
+ cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2)
- 3.Update VM's sg to test-security2, then the open flows showed:
- cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2),conjunction(22,1/2)
- cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2),conjunction(23,1/2)
+ 3.Update VM's sg to test-security2, then the open flows showed:
+ cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2),conjunction(22,1/2)
+ cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2),conjunction(23,1/2)
- You can see the old conjunction for test-security1 still exists:
conjunction(15,1/2)
+ You can see the old conjunction for test-security1 still exists:
conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by
the old sg VMs.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1854131
Title:
Old conjunction left after sg update
Status in neutron:
New
Bug description:
1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group:
test-security2)
2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2)
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0,
n_bytes=0, idle_age=790,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2)
3.Update VM's sg to test-security2, then the open flows showed:
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(14,1/2),conjunction(22,1/2)
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0,
n_bytes=0, idle_age=814,
priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46
actions=conjunction(15,1/2),conjunction(23,1/2)
You can see the old conjunction for test-security1 still exists:
conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by
the old sg VMs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1854131/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
