OpenStack Compute (nova)

nova reorders all iptables rules on component start

Bug #1116562 reported by Chet Burgess
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Chet Burgess
OpenStack Compute (nova) 2013.1 "grizzly"

Bug Description

There's currently no method for guaranteeing iptables rules ordering on any system running nova. This is because nova adds and removes chains, reordering all the rules on the system. The goal of this patch is to provide a method for administrators to have a deterministic way of placing rules both before and after nova's own rulesets.

Chet Burgess (cfb-n)
Changed in nova:
assignee: nobody → Chet Burgess (cfb-n)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/21484
Committed: http://github.com/openstack/nova/commit/5d6546a2b17ee6190d1a823d881118aeec8388f8
Submitter: Jenkins
Branch: master

commit 5d6546a2b17ee6190d1a823d881118aeec8388f8
Author: Chet Burgess <email address hidden>
Date: Wed Feb 6 07:32:03 2013 +0000

    preserve order of pre-existing iptables chains

    Adds new configuration options:

        iptables_top_regex='' (Default)
            When set treated as a regular expression to match
            iptables rules that should always be placed at the
            top of the table before the nova chains.

        iptables_bottom_regex='' (Default)
            When set treated as a regular expression to match
            iptables rules that should always be placed at the
            bottom of the table right before the COMMIT

    Additionally the existing iptables tests were no longer
    actually testing the chains we use. In some cases we
    were looking for chains that haven't existed in the
    code base for 2 years. I took the oppurtunity to update
    all tests to actually test for the chains we care about.

    Flags: DocImpact

    Change-Id: I335ca3712d6dd37051cc8e46e1237aaf66a4a94e
    Fixes: bug #1116562

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.