neutron

Can't dnat from 169.254.169.254:80 to host:8775

Bug #1212168 reported by Xiang Hui on 2013-08-14

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Low	Xiang Hui	neutron 2013.2 "havana"

Bug Description

After setting "enable_metadata_proxy=False" on /etc/neutron/l3_agent.ini, which means shut down the
neutron-ns-metadata-proxy, and choose to use nova metadata, but there still have a rule as below:

iptables -t nat -D neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697

which will block the rules

iptables -t nat -A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $HOST:8775

I think this is a bug, it should be fixed in the code, if not enable neutron metadata , then don't add the first rule.
Thanks advance for any advice.

See original description

Tags:

Xiang Hui (xianghui) on 2013-08-14

description:

updated

Mark McClain (markmcclain) on 2013-08-14

Changed in neutron:
assignee:	nobody → Mark McClain (markmcclain)
status:	New → Triaged
tags:	added: l3-ipam-dhcp removed: metadata

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-08-26:

#1

Hi Mark,
Are you going to fix it? : )
Thanks.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-08: Fix proposed to neutron (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/45559

Changed in neutron:
assignee:	Mark McClain (markmcclain) → Xiang Hui (xianghui)
status:	Triaged → In Progress

Revision history for this message

Jian Wen (wenjianhn) wrote on 2013-09-12:

#3

Maybe it's worth filing a new bug to remove the metadata filter rules as well.

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-09-12:

#4

@Jian Wen, sorry, I didn't get it, are you going to say l3 agent didn't remove this metadata filter rules after user disable the metadata proxy? if so, that's a good point.

Thanks.

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-09-12:

#5

@Jian Wen, I got your point , the metadata filter rules should be treated as metadata nat rules.
Great Thanks.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-15: Fix merged to neutron (master)

#6

Reviewed: https://review.openstack.org/45559
Committed: http://github.com/openstack/neutron/commit/84d73ec5999339919c937687c81de77732886bd4
Submitter: Jenkins
Branch: master

commit 84d73ec5999339919c937687c81de77732886bd4
Author: Hui HX Xiang <email address hidden>
Date: Sat Sep 7 19:51:42 2013 -0700

Don't add neutron metadata_nat_rules if disable metadata proxy

This patchset fixes this issue by adding a condition when adding nat
rules of neutron metadata proxy.

fixes bug #1212168

Change-Id: I99775aad73c49a8df3043690440d214614279a2b

Changed in neutron:
status:	In Progress → Fix Committed

Mark McClain (markmcclain) on 2013-09-15

Changed in neutron:
importance:	Undecided → Low
milestone:	none → havana-rc1

Thierry Carrez (ttx) on 2013-10-03

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in neutron:
milestone:	havana-rc1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.