neutron-linuxbridge-agent fails to start with iptables 1.8.5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
iptables (Ubuntu) |
Fix Released
|
High
|
Alex Murray | ||
Groovy |
Fix Released
|
High
|
Alex Murray | ||
Hirsute |
Fix Released
|
High
|
Alex Murray | ||
neutron (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Groovy |
Invalid
|
Undecided
|
Unassigned | ||
Hirsute |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[Impact]
With iptables 1.8.5 neutron-
The log file shows many errors like:
2020-10-05 10:20:37.998 551 ERROR neutron.
This can be demonstrated with a simple test case:
iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF
This fails with iptables 1.8.5 and is a known upstream bug that was subsequently fixed in upstream commit https:/
As such, neutron-
In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this bug by backporting the upstream fix from commit 0bd7a8eaf358215
For groovy, iptables 1.8.5-3ubuntu2.
[Test Case]
This can be reproduced by the test case.
[Regression Potential]
* This is a low risk update since it only affects the behaviour when a policy of '-' is specified and so does not affect any users of iptables that specify an explicit policy (like ACCEPT, REJECT etc). Since this '-' behaviour is currently broken it has a very low chance of causing a regression as it does not affect any code paths the use an explicit policy. One possible regression would be if any users of iptables-restore
were relying on this failing behaviour, but since this has only failed for
groovy and no other Ubuntu releases this is highly unlikely. The other
possibility is that the patch introduces some other failure, however
as stated above, close analysis of the patch shows it only introduces
new behaviour when the policy is specified as '-' - so this should be
impossible.
* In the event of a regression, iptables can be reverted back to a rebuild of 1.8.5-3ubuntu1 by simply backing out this patch.
[Other Info]
* Details regarding an explicit test verification of neutron-
Changed in neutron (Ubuntu): | |
status: | New → Invalid |
Changed in iptables (Ubuntu Hirsute): | |
importance: | Undecided → High |
Changed in iptables (Ubuntu Groovy): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in iptables (Ubuntu Hirsute): | |
status: | Confirmed → Triaged |
Changed in iptables (Ubuntu Groovy): | |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in iptables (Ubuntu Hirsute): | |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in iptables (Ubuntu Groovy): | |
status: | Triaged → In Progress |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | New → Fix Committed |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
description: | updated |
tags: | removed: verification-needed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
This issue was fixed in iptables git master commit dac904bdcd9a18a abafee7275ccf0c 2bd53800f3
I guess the actual fix may have been "iptables-nft: fix basechain policy configuration", commit 0bd7a8eaf358215 9490ab355b1217a 4e42ed021f