]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commit
Code Review / openstack-build / neutron-build.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 86bf1b4) | patch
Use a conntrack zone per port in OVS
authorKevin Benton <blak111@gmail.com>
Fri, 31 Jul 2015 01:07:03 +0000 (18:07 -0700)
committerKevin Benton <blak111@gmail.com>
Sat, 15 Aug 2015 13:36:22 +0000 (06:36 -0700)
commit7e9b0e4ac53e83b18dd949564435710e86c7b81e
tree5c6ecd07019abd77df89b361da8df5d0edd14b4etree | snapshot
parent86bf1b41504ed9aa1c1a6c4a8b653ab7b5be9b52commit | diff
Use a conntrack zone per port in OVS

Conntrack zones per network are not adequate because VMs
on the same host communicating with each other cross iptables
twice. If conntrack is sharing the same zone for each cross,
the first one can remove the connection from the table on a RST
and then the second one marks the RST as invalid.

This patch adjusts the logic to use a conntrack zone per port
instead of per network. In order to avoid interrupting upgrades
or restarts, the initial zone map is built from the existing
iptables rules so existing port->zone mappings are maintained.

Closes-Bug: #1478925
Change-Id: Ibe9e49653b2a280ea72cb95c2da64cd94c7739da
neutron/agent/linux/ip_conntrack.py diff | blob | history
neutron/agent/linux/iptables_firewall.py diff | blob | history
neutron/agent/linux/iptables_manager.py diff | blob | history
neutron/agent/securitygroups_rpc.py diff | blob | history
neutron/tests/unit/agent/linux/test_iptables_firewall.py diff | blob | history
neutron/tests/unit/agent/test_securitygroups_rpc.py diff | blob | history