Rapidly removing a floating ip can leave behind nat rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Vish Ishaya | ||
Folsom |
Fix Released
|
High
|
Vish Ishaya |
Bug Description
Associating and disassociating a floating ip very rapidly can lead to iptables rules being left behind. This is because due to lag in the api host or network host that passes along the request, the removal of iptables rules can hit before the addition of rules.
example:
$ nova list
+------
| ID | Name | Status | Networks |
+------
| e2212fd7-
+------
$ (nova add-floating-ip foo1 10.0.0.201 &); sleep 1.0; (nova remove-floating-ip foo1 10.0.0.201 &);
$ nova list
+------
| ID | Name | Status | Networks |
+------
| e2212fd7-
+------
<on host with foo1>
$ sudo iptables -t nat -L -n -v | grep 10.0.0.3
0 0 DNAT all -- * * 0.0.0.0/0 10.0.0.201 to:10.0.0.3
0 0 DNAT all -- * * 0.0.0.0/0 10.0.0.201 to:10.0.0.3
0 0 SNAT all -- * ext0 10.0.0.3 0.0.0.0/0 to:10.0.0.201
Changed in nova: | |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | nobody → Vish Ishaya (vishvananda) |
tags: | added: folsom-backport-potential |
Changed in nova: | |
milestone: | none → grizzly-2 |
status: | Fix Committed → Fix Released |
tags: | removed: folsom-backport-potential |
Changed in nova: | |
milestone: | grizzly-2 → 2013.1 |
Fix proposed to branch: master /review. openstack. org/18525
Review: https:/