Delete conntrack entry on the other direction
When one vm unbind a security-group, only one direction conntrack entry was deleted, which is not enough and may cause another direction was still could connect. This patch delete the left one. Change-Id: I44d6bd0c2465294b557fd01566b72e016d34bba3 Close-Bug: #1570171
This commit is contained in:
yujie
parent
81c61a9939
commit
2de33a902d
|
|
@ -79,10 +79,12 @@ class IpConntrackManager(object):
|
|||
|
||||
def delete_conntrack_state_by_remote_ips(self, device_info_list,
|
||||
ethertype, remote_ips):
|
||||
rule = {'ethertype': str(ethertype).lower(), 'direction': 'ingress'}
|
||||
if remote_ips:
|
||||
for remote_ip in remote_ips:
|
||||
self._delete_conntrack_state(
|
||||
device_info_list, rule, remote_ip)
|
||||
else:
|
||||
self._delete_conntrack_state(device_info_list, rule)
|
||||
for direction in ['ingress', 'egress']:
|
||||
rule = {'ethertype': str(ethertype).lower(),
|
||||
'direction': direction}
|
||||
if remote_ips:
|
||||
for remote_ip in remote_ips:
|
||||
self._delete_conntrack_state(
|
||||
device_info_list, rule, remote_ip)
|
||||
else:
|
||||
self._delete_conntrack_state(device_info_list, rule)
|
||||
|
|
|
|||
|
|
@ -1131,9 +1131,17 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
'-w', 10],
|
||||
run_as_root=True, check_exit_code=True,
|
||||
extra_ok_codes=[1]),
|
||||
mock.call(['conntrack', '-D', '-f', 'ipv4', '-s', '10.0.0.1',
|
||||
'-w', 10],
|
||||
run_as_root=True, check_exit_code=True,
|
||||
extra_ok_codes=[1]),
|
||||
mock.call(['conntrack', '-D', '-f', 'ipv6', '-d', 'fe80::1',
|
||||
'-w', 10],
|
||||
run_as_root=True, check_exit_code=True,
|
||||
extra_ok_codes=[1]),
|
||||
mock.call(['conntrack', '-D', '-f', 'ipv6', '-s', 'fe80::1',
|
||||
'-w', 10],
|
||||
run_as_root=True, check_exit_code=True,
|
||||
extra_ok_codes=[1])]
|
||||
self.utils_exec.assert_has_calls(calls)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue