neutron

neutron-openvswitch-agent says Tried to generate an ipset iptable rule for a security group rule even in normal operation

Bug #1421772 reported by Miguel Angel Ajo on 2015-02-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Miguel Angel Ajo	neutron 2015.1.0 "kilo"

Bug Description

Lot's of messages like those ones can be seen in normal operation:

2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.

The logic of this log message is broken, and should be removed.

Because, we can actually generate an iptable rule referencing a set which doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in which case
iptables-restore would fail, and that's ok enough.

I will submit a patch to remove the message logic.

Miguel Angel Ajo (mangelajo) on 2015-02-13

Changed in neutron:
assignee:	nobody → Miguel Angel Ajo (mangelajo)

OpenStack Infra (hudson-openstack) on 2015-02-18

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-19: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/156566
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cf53e4a8fc268d471d9feb8338c978633c814bb4
Submitter: Jenkins
Branch: master

commit cf53e4a8fc268d471d9feb8338c978633c814bb4
Author: Miguel Angel Ajo <email address hidden>
Date: Tue Feb 17 12:28:46 2015 +0000

Remove error logs for a common situation (non created ipsets)

The log message was initially added by me as part of a
iptables_firewall refactor.

    Ipsets for empty IP address lists aren't currently created,
    that means that we can't reference empty security groups
    (as ipsets) via iptable rules, and that's a normal condition,
    not an error.

Closes bug: #1421772
Change-Id: I6b1ae1fb505ce5e76ef8cf7ef7df38cff57e0000

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in neutron:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in neutron:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.