** Also affects: neutron/kilo Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1333365
Title: Deleting a VM port does not remove Security rules in ip tables Status in neutron: Fix Released Status in neutron kilo series: New Bug description: Deleting a VM port does not remove security rules associated to VM port in ip tables. Setup : ICEHOUSE GA with KVM Compute node,network node, controller 1. Spawn a VM with security group attached. 2. Delete a VM port 3. Verify the ip tables VM IP : 10.10.1.4 Rules attached : TCP and icmp rule root@ICN-KVM:~# ovs-vsctl show f3b34ea5-9799-460d-99bb-26359fd26e38 Bridge "br-eth1" Port "br-eth1" Interface "br-eth1" type: internal Port "phy-br-eth1" Interface "phy-br-eth1" Port "eth1" Interface "eth1" Bridge br-int Port br-int Interface br-int type: internal Port "qvof28b18dc-c3" <<<<<<<<<<<<<<<<<<< VM tap port tag: 1 Interface "qvof28b18dc-c3" Port "int-br-eth1" Interface "int-br-eth1" ovs_version: "2.0.1" root@ICN-KVM:~# After Deleting a port security rules are still present in iptables. --------------------------------------------------------------------- oot@ICN-KVM:~# iptables-save | grep 28b18dc :neutron-openvswi-if28b18dc-c - [0:0] :neutron-openvswi-of28b18dc-c - [0:0] :neutron-openvswi-sf28b18dc-c - [0:0] -A neutron-openvswi-FORWARD -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c -A neutron-openvswi-if28b18dc-c -m state --state INVALID -j DROP -A neutron-openvswi-if28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-if28b18dc-c -p tcp -m tcp -j RETURN -A neutron-openvswi-if28b18dc-c -p icmp -j RETURN -A neutron-openvswi-if28b18dc-c -s 10.10.1.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-if28b18dc-c -j neutron-openvswi-sg-fallback -A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sf28b18dc-c -A neutron-openvswi-of28b18dc-c -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-of28b18dc-c -m state --state INVALID -j DROP -A neutron-openvswi-of28b18dc-c -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-of28b18dc-c -j RETURN -A neutron-openvswi-of28b18dc-c -j neutron-openvswi-sg-fallback -A neutron-openvswi-sf28b18dc-c -s 10.10.1.4/32 -m mac --mac-source FA:16:3E:D4:47:F8 -j RETURN -A neutron-openvswi-sf28b18dc-c -j DROP -A neutron-openvswi-sg-chain -m physdev --physdev-out tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-if28b18dc-c -A neutron-openvswi-sg-chain -m physdev --physdev-in tapf28b18dc-c3 --physdev-is-bridged -j neutron-openvswi-of28b18dc-c root@ICN-KVM:~# To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1333365/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp