Incorrect logic of _modify_rules() in IptablesManager
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
In Progress
|
Undecided
|
Qin Zhao | ||
Bug Description
The logic of _modify_rules() seems not correct. For instance, assuming that we have a in-memory table like this:
:bn-chain001 - [0:0]
:chain002 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002
and iptables-save output like this:
# Generated by zhaoqin on mars
*zhaoqin
:bn-chain001 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002
COMMIT
# Completed on moon
The current code of _modify_rules() will generate the following result:
# Generated by zhaoqin on mars
:chain002 - [0:0]
:bn-chain001 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002
*zhaoqin
COMMIT
# Completed on moon
The root cause is that rule '[0:0] -A chain002 rule002' is in new_filter list is removed, so that the current code will do 'rules_index -= 1'. That is an incorrect action. The correct action is to do 'rules_index -= 1', if one chain entry in new_filter list is removed, because the chain list is above the rule list.
| Qin Zhao (zhaoqin) wrote | #1 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to neutron (master) | #2 |
| Changed in neutron: | |
| assignee: | nobody → Qin Zhao (zhaoqin) |
| status: | New → In Progress |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on neutron (master) | #3 |
Another reason why I open this bug is that I plan to propose a lot code changes to _modify_rules() for https:/