Public bug reported:
>From my lab, I tried to apply the stateless securigty group for one port
"172.26.9.54" and use hping3 to generate tcp connections and monitor the
nf_conntrack number but nothing is effect. After debug in iptables
rules, I saw the following syntax error in iptables caused the "no-
track" policy to become ineffective:
This output from `iptables-save`:
## The port of the first server use same subnet (Public Subnet of provider) -
IP address 172.26.9.97
Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4
-m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment
"Set zone for 76a0ad0-20" -j CT --zone 4099
Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tap076a0ad0-20
-m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
## The port of the second server use same subnet (Public Subnet of provider) -
IP Address 172.26.9.54
Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in brq959cb64a-b4
-m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment --comment
"Make ec8b333-40 stateless" -j CT --notrack
Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in tapdec8b333-40
-m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
** Affects: neutron
Importance: Undecided
Status: New
** Tags: firewall group security stateless
** Tags added: firewall group security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2020060
Title:
Stateless Feature of Security Group Not Functioning in Case of other
Port same compute use statefull
Status in neutron:
New
Bug description:
From my lab, I tried to apply the stateless securigty group for one
port "172.26.9.54" and use hping3 to generate tcp connections and
monitor the nf_conntrack number but nothing is effect. After debug in
iptables rules, I saw the following syntax error in iptables caused
the "no-track" policy to become ineffective:
This output from `iptables-save`:
## The port of the first server use same subnet (Public Subnet of provider) -
IP address 172.26.9.97
Line 33: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in
brq959cb64a-b4 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 34: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment
--comment "Set zone for 76a0ad0-20" -j CT --zone 4099
Line 35: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in
tap076a0ad0-20 -m comment --comment "Set zone for 76a0ad0-20" -j CT --zone 4099
## The port of the second server use same subnet (Public Subnet of provider)
- IP Address 172.26.9.54
Line 52: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in
brq959cb64a-b4 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
Line 53: -A neutron-linuxbri-PREROUTING -i brq959cb64a-b4 -m comment
--comment "Make ec8b333-40 stateless" -j CT --notrack
Line 54: -A neutron-linuxbri-PREROUTING -m physdev --physdev-in
tapdec8b333-40 -m comment --comment "Make ec8b333-40 stateless" -j CT --notrack
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2020060/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
