[Openstack-security] [Bug 1559920] Re: Flows per in_port are deleted after SG rules are applied
OpenStack Infra
1559920 at bugs.launchpad.net
Mon Mar 21 09:21:34 UTC 2016
Fix proposed to branch: master
Review: https://review.openstack.org/295154
** Changed in: neutron
Status: New => In Progress
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1559920
Title:
Flows per in_port are deleted after SG rules are applied
Status in neutron:
In Progress
Bug description:
During the creation of a new port in the integration bridge (br-int),
first the firewall rules are applied and then all flows matching this
input port are deleted:
if cur_tag != lvm.vlan:
self.int_br.delete_flows(in_port=port.ofport)
This happens only when the port is created (or the vlan tag changes).
If any firewall rule is applied using the in_port as a condition,
during the initialization of the firewall for this port, this rule is
deleted.
Instead of that, this security action should be moved to the previous
function, "_add_port_tag_info", in order to avoid any firewall rule
deletion and maintaining the same security level during the port
creation; that means the ports doesn't allow any kind of traffic until
the firewall rules are applied.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1559920/+subscriptions
More information about the Openstack-security
mailing list