Reviewed: https://review.openstack.org/471301 Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=6a31bfbb3400fb818e7b2f15fa11337bafed80cd Submitter: Jenkins Branch: master
commit 6a31bfbb3400fb818e7b2f15fa11337bafed80cd Author: wujun <wu...@awcloud.com> Date: Tue Jun 6 05:58:32 2017 -0400 Modify an order between iptables and conntrack when update firewall When update a firewall, we should update the iptables firstly, and then remove the conntrack record, just like the function create_firewall() and create_firewall_group(). Otherwise, the contrack record could be reproduced. It will be occurred more easily in scenario of large flow, because removing conntrack and updating firewall will take some time, and in this interval the subsequent flow could be came to reproduced the same conntrack record. Change-Id: I7bd36964199c6ce7c146f3ef06a693e9c6fe5353 Closes-bug: #1696093 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1696093 Title: When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced. Status in neutron: Fix Released Bug description: environment: devstack master When update a firewall, we should update the iptables firstly, and then clear the conntrack record, just like the function create_firewall(). Otherwise, the contrack record could be reproduced. We can trigger the firewall_update action by: 1.#neutron firewall-update f1 --no-routers 2.vm ping external ip address all the time 3.#neutron firewall-update f1 --router demo-router We can found that vm still can ping external ip address successfully. notice: We should make sure that never stop ping and the interval of ping is small. If it is still not reproduced, we can modify the code to add a "sleep" before the function "_setup_firewall()". To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1696093/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp