midonet

Updates to VIF port's security_groups field not reflected in underlying IPAddrGroups

Bug #1533982 reported by Brandon Berg on 2016-01-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	midonet	Fix Committed	Undecided	Unassigned

Bug Description

Translation of VIF port updates does not take into account the possibility that the port's security_groups field may have changed. Consequently, adding a security group ID to a VIF port's security_groups does not add the VIF port's IP address(es) to the corresponding Midonet IPAddrGroup. Likewise, removing the security group ID from the port's security_groups does not remove the port's IP address(es) from the underlying IPAddrGroup.

The updated port will begin using the security rules for any added security groups and stop using the security rules for any dremoved security groups, as it should. However, other ports with security-group-based rules (e.g., accept all TCP traffic on port 10000 from members of security group "sg1") will continue to function as though the port had not been added/removed to the security group (e.g., continue to accept traffic from the port even after it has been removed from group "sg1").

Joe Mills (joe-6) on 2016-01-14

affects:

networking-midonet → midonet

Brandon Berg (bberg-s) on 2016-01-14

summary:

- When a port is removed from a security group. its IP address is not
- removed from the Midonet IPAddrGroup
+ Updates to VIF port's security_groups field not reflected in underlying
+ IPAddrGroups

Ryu Ishimoto (ryu-midokura) on 2016-03-15

Changed in midonet:
status:	New → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.