neutron

Deleting last rule in Security Group does not update firewall

Bug #1420056 reported by Ramu Ramamurthy
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
In Progress
Medium
Zhiyuan Cai

Bug Description

Scenario:
     VM port with 1 Security Group with 1 egress icmp rule
(example rule:
{u'ethertype': u'IPv4', u'direction': u'egress', u'protocol': u'icmp', u'dest_ip_prefix': u'0.0.0.0/0'}
)

Steps:
     Delete the (last) rule from the above Security Group via Horizon

Result:
    Find that iptables shows the egress icmp rule even after its deletion

Root Cause:
    In this scenario, security_group_info_for_devices() returns the following to the agent: Note that the
 'security_groups ' field is an empty dictionary {} !! this causes _update_security_groups_info in the agent to NOT update firewall.

The security_groups field must contain the security_group_id as key with an empty list for the rules.

{u'sg_member_ips': {}, u'devices': {u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95': {u'status': u'ACTIVE', u'security_group_source_groups': [], u'binding:host_id': u'vRHEL29-1', u'name': u'', u'allowed_address_pairs': [{u'ip_address': u'10.0.0.201', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address': u'10.0.10.202', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address': u'10.0.20.203', u'mac_address': u'fa:16:3e:02:4b:b3'}], u'admin_state_up': True, u'network_id': u'f665dc8c-76da-4fde-8d26-535871487e4c', u'tenant_id': u'f5019aeae9e64443970bb0842e22e2b3', u'extra_dhcp_opts': [], u'security_group_rules': [{u'source_port_range_min': 67, u'direction': u'ingress', u'protocol': u'udp', u'ethertype': u'IPv4', u'port_range_max': 68, u'source_port_range_max': 67, u'source_ip_prefix': u'10.0.2.3', u'port_range_min': 68}], u'binding:vif_details': {u'port_filter': False}, u'binding:vif_type': u'bridge', u'device_owner': u'compute:nova', u'mac_address': u'fa:16:3e:02:4b:b3', u'device': u'tapea19fb55-39', u'binding:profile': {}, u'binding:vnic_type': u'normal', u'fixed_ips': [u'10.0.2.6'], u'id': u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95', u'security_groups': [u'849ee59c-d100-4940-930b-44e358775ed3'], u'device_id': u'2b330c29-c16f-4bbf-b80a-bd5bae41b514'}}, u'security_groups': {}} security_group_info_for_devices /usr/lib/python2.6/site-packages/neutron/agent/securitygroups_rpc.py:104

Tags: fwaas sg-fw
Ramu Ramamurthy (ramu-ramamurthy)
summary: - Deleting last rule in Security Group does not work
+ Deleting last rule in Security Group does not update firewall
Eugene Nikanorov (enikanorov)
tags: added: fwaas sg-fw
Changed in neutron:
importance: Undecided → Medium
status: New → Confirmed
Zhiyuan Cai (luckyvega-g)
Changed in neutron:
assignee: nobody → Zhiyuan Cai (luckyvega-g)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/156032

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/156032
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Hong Hui Xiao (xiaohhui) wrote :

I just checked, the bug can't be reproduced in the latest code. After checking the history, the bug has been fixed at [1]. I will close this bug as duplicated.

[1] https://github.com/openstack/neutron/blob/764f018f50ac7cd42c29efeabaccbb5aec21f6f4/neutron/db/securitygroups_rpc_base.py#L208-L212

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.