[Yahoo-eng-team] [Bug 1915530] [NEW] Openvswitch firewall - removing and adding security group breaks connectivity

Fri, 12 Feb 2021 08:12:13 -0800 

Public bug reported:

How to reproduce the issue:

1. use neutron-ovs-agent with openvswitch firewall driver,
2. spawn vm with SG which has some rule to allow some kind of traffic (can be 
e.g. ssh to the instance)
3. establish connection according to the rule(s) in SG (e.g. connect through 
ssh to the instance)
4. keep established connection and remove security group from port,
5. add security group again to the port
6. Your connection will not be "restored" becuase in the conntrack table there 
are entries like:

tcp      6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660
dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED]
mark=1 zone=4 use=1

Connection will be restored when that entry will be deleted.

** Affects: neutron
     Importance: Low
     Assignee: Slawek Kaplonski (slaweq)
         Status: New


** Tags: ovs-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1915530

Title:
  Openvswitch firewall - removing and adding security group breaks
  connectivity

Status in neutron:
  New

Bug description:
  How to reproduce the issue:

  1. use neutron-ovs-agent with openvswitch firewall driver,
  2. spawn vm with SG which has some rule to allow some kind of traffic (can be 
e.g. ssh to the instance)
  3. establish connection according to the rule(s) in SG (e.g. connect through 
ssh to the instance)
  4. keep established connection and remove security group from port,
  5. add security group again to the port
  6. Your connection will not be "restored" becuase in the conntrack table 
there are entries like:

  tcp      6 296 ESTABLISHED src=10.0.0.2 dst=10.0.0.44 sport=34660
  dport=22 src=10.0.0.44 dst=10.0.0.2 sport=22 dport=34660 [ASSURED]
  mark=1 zone=4 use=1

  Connection will be restored when that entry will be deleted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1915530/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to