Modify an order between iptables and conntrack when update firewall

When update a firewall, we should update the iptables firstly,
and then remove the conntrack record, just like the function
create_firewall() and create_firewall_group(). Otherwise, the
contrack record could be reproduced. It will be occurred more
easily in scenario of large flow, because removing conntrack
and updating firewall will take some time, and in this interval
the subsequent flow could be came to reproduced the same
conntrack record.

Change-Id: I7bd36964199c6ce7c146f3ef06a693e9c6fe5353
Closes-bug: #1696093
This commit is contained in:
wujun 2017-06-06 05:58:32 -04:00
parent f571e2e1f3
commit 1471eba89d
2 changed files with 2 additions and 2 deletions

View File

@ -123,13 +123,13 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
try:
if firewall['admin_state_up']:
self._setup_firewall(agent_mode, apply_list, firewall)
if self.pre_firewall:
self._remove_conntrack_updated_firewall(agent_mode,
apply_list, self.pre_firewall, firewall)
else:
self._remove_conntrack_new_firewall(agent_mode,
apply_list, firewall)
self._setup_firewall(agent_mode, apply_list, firewall)
else:
self.apply_default_policy(agent_mode, apply_list, firewall)
self.pre_firewall = dict(firewall)

View File

@ -131,13 +131,13 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
try:
if firewall['admin_state_up']:
self._setup_firewall(agent_mode, apply_list, firewall)
if self.pre_firewall:
self._remove_conntrack_updated_firewall(agent_mode,
apply_list, self.pre_firewall, firewall)
else:
self._remove_conntrack_new_firewall(agent_mode,
apply_list, firewall)
self._setup_firewall(agent_mode, apply_list, firewall)
else:
self.apply_default_policy(agent_mode, apply_list, firewall)
self.pre_firewall = dict(firewall)