neutron

snat_idx and FIP Rules may overlap

Bug #1434158 reported by Steve Wormley
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Low
Unassigned

Bug Description

FIP rules in agent/l3/dvr_fip_ns.py are given the range:
FIP_PR_START = 32768
FIP_PR_END = FIP_PR_START + 40000

And snat_idx in agent/l3/dvr_router.py used for ip rules as well is computed using:
            if snat_idx < 32768:
                snat_idx = snat_idx + MASK_30

So that the FIP rule range could overlap the snat_idx range in rare cases.

The obvious solution is "if snat_idx <32768+40001"(I think) but there's probably a better solution than hard coding 40000

Gary Kotton (garyk)
Changed in neutron:
importance: Undecided → Low
status: New → Confirmed
tags: added: l3-dvr-backlog loadimpact
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/247388

Changed in neutron:
assignee: nobody → Gary Kotton (garyk)
status: Confirmed → In Progress
Revision history for this message
Brian Haley (brian-haley) wrote :

The code snippet above is in the IPv6 section of _get_snat_idx(), but there is no floating IPv6, and hopefully won't ever be since we really don't require it.

And with DVR, the FIP namespace and rules live on the compute node, but the SNAT namespace and rules live on the network node, so I'm trying to think how they could impact each other, perhaps only on a single-node install (devstack) ?

The 32768 the code is referring to is also a Linux kernel thing, and not related to the FIP rule allocator code.

Have we actually ever seen a problem?

Gary Kotton (garyk)
Changed in neutron:
status: In Progress → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by garyk (<email address hidden>) on branch: master
Review: https://review.openstack.org/247388
Reason: Lets wait and see if there is a real issue

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: Gary Kotton (garyk) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.