[Yahoo-eng-team] [Bug 1559920] [NEW] Flows per in_port are deleted after SG rules are applied

Mon, 21 Mar 2016 01:26:23 -0700 

Public bug reported:

During the creation of a new port in the integration bridge (br-int),
first the firewall rules are applied and then all flows matching this
input port are deleted:

if cur_tag != lvm.vlan:
                self.int_br.delete_flows(in_port=port.ofport)

This happens only when the port is created (or the vlan tag changes). If
any firewall rule is applied using the in_port as a condition, during
the initialization of the firewall for this port, this rule is deleted.

Instead of that, this security action should be moved to the previous
function, "_add_port_tag_info", in order to avoid any firewall rule
deletion and maintaining the same security level during the port
creation; that means the ports doesn't allow any kind of traffic until
the firewall rules are applied.

** Affects: neutron
     Importance: Undecided
     Assignee: Rodolfo Alonso (rodolfo-alonso-hernandez)
         Status: New


** Tags: firewall groups ovs security

** Tags added: firewall groups ovs security

** Changed in: neutron
     Assignee: (unassigned) => Rodolfo Alonso (rodolfo-alonso-hernandez)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1559920

Title:
  Flows per in_port are deleted after SG rules are applied

Status in neutron:
  New

Bug description:
  During the creation of a new port in the integration bridge (br-int),
  first the firewall rules are applied and then all flows matching this
  input port are deleted:

  if cur_tag != lvm.vlan:
                  self.int_br.delete_flows(in_port=port.ofport)

  This happens only when the port is created (or the vlan tag changes).
  If any firewall rule is applied using the in_port as a condition,
  during the initialization of the firewall for this port, this rule is
  deleted.

  Instead of that, this security action should be moved to the previous
  function, "_add_port_tag_info", in order to avoid any firewall rule
  deletion and maintaining the same security level during the port
  creation; that means the ports doesn't allow any kind of traffic until
  the firewall rules are applied.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1559920/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to