Public bug reported: environment: devstack master
When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced. We can trigger the firewall_update action by: 1.#neutron firewall-update f1 --no-routers 2.vm ping external ip address all the time 3.#neutron firewall-update f1 --router demo-router We can found that vm still can ping external ip address successfully. ** Affects: neutron Importance: Undecided Assignee: wujun (wujun) Status: New ** Tags: fwaas ** Changed in: neutron Assignee: (unassigned) => wujun (wujun) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1696093 Title: When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced. Status in neutron: New Bug description: environment: devstack master When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced. We can trigger the firewall_update action by: 1.#neutron firewall-update f1 --no-routers 2.vm ping external ip address all the time 3.#neutron firewall-update f1 --router demo-router We can found that vm still can ping external ip address successfully. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1696093/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp