Reviewed: https://review.opendev.org/696236 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5cb0ff418a0794d060001a7313561c4cfb584d0e Submitter: Zuul Branch: master
commit 5cb0ff418a0794d060001a7313561c4cfb584d0e Author: Yang Li <[email protected]> Date: Wed Nov 27 14:48:05 2019 +0800 Add more condition to check sg member exist Only check sg object is not enough, we should also check sg'ports is {} or not. Otherwise the old conjunction will still exist. Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62 Closes-Bug: #1854131 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1854131 Title: Old conjunction left after sg update Status in neutron: Fix Released Bug description: 1.Create 2 security groups: test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1) test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2) 2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed: cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2) cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2) 3.Update VM's sg to test-security2, then the open flows showed: cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2) cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2) You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2) This will cause security problem for VM, because it still can be reached by the old sg VMs. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1854131/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
