Modify an order between iptables and conntrack when update firewall

When update a firewall, we should update the iptables firstly, and then remove the conntrack record, just like the function create_firewall() and create_firewall_group(). Otherwise, the contrack record could be reproduced. It will be occurred more easily in scenario of large flow, because removing conntrack and updating firewall will take some time, and in this interval the subsequent flow could be came to reproduced the same conntrack record. Change-Id: I7bd36964199c6ce7c146f3ef06a693e9c6fe5353 Closes-bug: #1696093
2017-06-06 05:58:32 -04:00 · 2017-06-06 05:58:32 -04:00 · 6a31bfbb34
parent daa852a463
commit 6a31bfbb34
2 changed files with 2 additions and 2 deletions
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
@ -146,13 +146,13 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
                  {'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
        try:
            if firewall['admin_state_up']:
+                self._setup_firewall(agent_mode, apply_list, firewall)
                if self.pre_firewall:
                    self._remove_conntrack_updated_firewall(agent_mode,
                                    apply_list, self.pre_firewall, firewall)
                else:
                    self._remove_conntrack_new_firewall(agent_mode,
                                                    apply_list, firewall)
-                self._setup_firewall(agent_mode, apply_list, firewall)
            else:
                self.apply_default_policy(agent_mode, apply_list, firewall)
            self.pre_firewall = dict(firewall)
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
@ -131,13 +131,13 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
                  {'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
        try:
            if firewall['admin_state_up']:
+                self._setup_firewall(agent_mode, apply_list, firewall)
                if self.pre_firewall:
                    self._remove_conntrack_updated_firewall(agent_mode,
                                    apply_list, self.pre_firewall, firewall)
                else:
                    self._remove_conntrack_new_firewall(agent_mode,
                                                    apply_list, firewall)
-                self._setup_firewall(agent_mode, apply_list, firewall)
            else:
                self.apply_default_policy(agent_mode, apply_list, firewall)
            self.pre_firewall = dict(firewall)