OpenStack Compute (nova)

IPtables rules don't always get added at top when 'top=True' is specified

Bug #1037137 reported by Brian Haley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Brian Haley
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

I have written an out-of-tree module that makes calls into the IPtablesManager code to add/remove iptables chains and rules. I am sometimes using top=True when doing an add_rule(). During testing I noticed that even though I specified top=True, if there were already "non-top" rules in a chain, then it would be added after them.

A very small patch, like the attached, fixed the problem.

I have a proposed patch in gerrit I'll link to this in a bit.

Revision history for this message
Brian Haley (brian-haley) wrote :
Changed in nova:
assignee: nobody → Brian Haley (brian-haley)
Revision history for this message
Brian Haley (brian-haley) wrote :

https://review.openstack.org/#/c/11300/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/11300
Committed: http://github.com/openstack/nova/commit/d141e64de98f4e7eb0493d8f0a631f071b6e6dc1
Submitter: Jenkins
Branch: master

commit d141e64de98f4e7eb0493d8f0a631f071b6e6dc1
Author: Brian Haley <email address hidden>
Date: Mon Aug 13 14:58:34 2012 -0400

    Change IPtablesManager to preserve packet:byte counts.

    Modified IPtablesManager.apply() method to save/restore chain and
    rule packet:byte counts by using the '-c' flag with iptables-save
    and iptables-restore calls. Currently they are zeroed every time
    we change something in the table. This will allow users to better
    analyze usage for instances over an extended period of time, for
    example, for billing purposes.

    Change all applicable iptables, libvirt and Xen tests to account
    for the changes made to support the packet:byte counts.

    This work uncovered two bugs in the existing implementation
    found during my testing, specifically:

    1. Fix IptablesManager to clean-up non-wrapped chains correctly,
       instead of leaving them in the kernel's table. We now keep a
       list of chains and rules we need to remove, and double-check
       in apply() that they are filtered-out.

    2. Fix IptablesManager to honor "top=True" iptables rules by only
       adding non-top rules after we've gone through all the top rules
       first.

    Implements first work item of blueprint libvirt-network-usage.

    Fixes bug 1037127 and bug 1037137.

    Change-Id: Ia5a11aabbfb45b6c16c8d94757eeaa2041785b60

Changed in nova:
status: New → In Progress
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.