UDP traffic stops when security groups are updated with heat.

Solution Verified - Updated -

Issue

  • After security group is updated using heat the port becomes blocked and stops sending traffic.
description: Heat template for security groups
heat_template_version: '2018-03-02'
outputs:
  securitygroup_ht_test1:
    value: {get_resource: test_sg}
resources:
  test_sg:
    properties:
      name: test_sg
      rules:
      - {direction: egress, ethertype: IPv4}
      - {direction: egress, ethertype: IPv6}
      - {protocol: icmp}
      - {port_range_max: 5001, port_range_min: 5001, protocol: udp}
      # - {port_range_max: 10000, port_range_min: 10000, protocol: tcp}
    type: OS::Neutron::SecurityGroup
  • The piece of code related to this action.
    def handle_update(self, json_snippet, tmpl_diff, prop_diff):
        # handle rules changes by:
        # * deleting all rules
        # * restoring the default egress rules
        # * creating new rules
        rules = None
        if self.RULES in prop_diff:
            rules = prop_diff.pop(self.RULES)
            self._delete_rules()
            self._create_rules(self.default_egress_rules)

        if prop_diff:
            self.prepare_update_properties(prop_diff)
            self.client().update_security_group(
                self.resource_id, {'security_group': prop_diff})
        if rules:
            self._create_rules(rules)
  • Running the template to add a new rule will effectively delete all rules and recreates them.
  • The issue only impacts UDP and it can be reproduced by manually deleting and creating the same rule (as heat does).

Environment

Red Hat OpenStack Platform 16.1.5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content