Kevin Benton ff3132d8d4 Stop killing conntrack state without CT Zone
The conntrack clearing code was belligerenty killing connections
without a conntrack zone specifier when it couldn't get the zone
for a given device. This means it would kill all connections based
on an IP address match, which meant hitting innocent bystanders
in other tenant networks with overlapping IP addresses.

This bad fallback was being triggered every time because it was
using the wrong identifier for a port to look up the zone.

This patch fixes the port lookup and adjusts the fallback behavior
to never clear conntrack entries if we can't find the conntrack
zone for a port.

This triggered the bug below (in the cases I root-caused) by
killing a metadata connection right in the middle of retrieving
a key.

Closes-Bug: #1668958
Change-Id: Ia4ee9b3305e89c958ac927980d80119c53ea519b
2017-03-03 19:22:45 +00:00
2016-06-28 22:46:19 +02:00
2016-12-10 06:15:34 -08:00
2016-10-17 17:06:19 +05:30
2014-05-16 13:40:04 -04:00
2017-02-09 01:07:07 +00:00
2016-11-25 15:35:21 +01:00
2016-11-08 03:50:20 +00:00
2017-02-08 05:09:55 +00:00
2015-09-21 18:56:49 +00:00

Team and repository tags

image

Welcome!

To learn more about neutron:

Get in touch via email. Use [Neutron] in your subject.

To learn how to contribute:

CONTRIBUTING.rst

Description
OpenStack Networking (Neutron)
Readme 1,015 MiB
Languages
Python 99.7%
Shell 0.3%