creating meter label rule doesn't work properly

Bug #1528137 reported by Yu Fukuyama
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Yu Fukuyama

Bug Description

Created rule by the following API counts packets between a router which connects to external network and the connection destination device.

  API: POST /v2.0/metering/metering-label-rules

When outbound traffic of external router, destination should be remote_ip, and when inbound traffic, sender should be remote_ip. But it has become actually reversed.

Because option for creating the iptables rule is reversed.

  code: https://github.com/openstack/neutron/blob/master/neutron/services/metering/drivers/iptables/iptables_driver.py#L176

I'll show you an example that created the meter label rule the remote_ip is set to 192.168.0.0/16.

[Actual results]

$ neutron meter-label-create test-label --tenant-id 2a023bd32f014e44b60b591cbd151514
Created a new metering_label:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | d35d0464-f872-43c7-8dd8-850657da59ef |
| name | test-label |
| shared | False |
| tenant_id | 2a023bd32f014e44b60b591cbd151514 |
+-------------+--------------------------------------+
$ neutron meter-label-create test-label2 --tenant-id 2a023bd32f014e44b60b591cbd151514
Created a new metering_label:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f |
| name | test-label2 |
| shared | False |
| tenant_id | 2a023bd32f014e44b60b591cbd151514 |
+-------------+--------------------------------------+
$ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction egress d35d0464-f872-43c7-8dd8-850657da59ef 192.168.0.0/16

$ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction ingress 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f 192.168.0.0/16

$ neutron meter-label-rule-list
+--------------------------------------+----------+-----------+------------------+
| id | excluded | direction | remote_ip_prefix |
+--------------------------------------+----------+-----------+------------------+
| 3e426537-61f4-44ac-a67a-e66ce26dc11b | False | egress | 192.168.0.0/16 |
| 4d669406-173c-4eea-af21-00430719cbfa | False | ingress | 192.168.0.0/16 |
+--------------------------------------+----------+-----------+------------------+

$ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables-save
...
-A neutron-meter-r-61c344ce-043 -d 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043
-A neutron-meter-r-d35d0464-f87 -s 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87
...

 [The expected iptables rules]

-A neutron-meter-r-61c344ce-043 -s 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043
-A neutron-meter-r-d35d0464-f87 -d 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87

[Examples of required packet is not counted]

ubuntu@test-vm(10.0.0.3):~$ ping 192.168.0.3 -c 3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=62 time=1.13 ms
64 bytes from 192.168.0.3: icmp_seq=2 ttl=62 time=0.618 ms
64 bytes from 192.168.0.3: icmp_seq=3 ttl=62 time=0.652 ms

--- 192.168.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.618/0.801/1.133/0.235 ms

$ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables -t filter -L neutron-meter-l-d35d0464-f87 -n -v -x
Chain neutron-meter-l-d35d0464-f87 (2 references)
    pkts bytes target prot opt in out source destination
       0 0 all -- * * 0.0.0.0/0 0.0.0.0/0

Tags: metering
Revision history for this message
Akihiro Motoki (amotoki) wrote :

According to the Networking API reference [1], there is no detail description about "remote_ip_prefix", but considering the security group rule API definition, it is reasonable to regard "remote_ip_prefix" as destination address/cidr for egress traffic and vice versa.

[1] http://developer.openstack.org/api-ref-networking-v2-ext.html#createMeteringLabelRule

Changed in neutron:
status: New → Triaged
importance: Undecided → Medium
Changed in neutron:
assignee: nobody → Yu Fukuyama (piano-cajon)
Akihiro Motoki (amotoki)
tags: added: metering
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/260323

Changed in neutron:
status: Triaged → In Progress
Revision history for this message
Akihiro Motoki (amotoki) wrote :

remote_ip_prefix of metering label rule is unclear and should be updated.

According to the discussion in the review in neutron,
for egress direction, remote_ip_prefix is a destination IP address or ranges
and for ingress direction, it means a source IP (range).

Akihiro Motoki (amotoki)
Changed in openstack-api-site:
assignee: nobody → Akihiro Motoki (amotoki)
Revision history for this message
Atsushi SAKAI (sakaia) wrote :

@yu @Akihiro
In my opinion, the patch for neutron is not merged yet.
So It should write APIimpact in git commit message for neutron
  patch.https://review.openstack.org/260323
Then api-site should care.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

@Atsushi,

The description itself is ambiguous. It is not directly related to the bug filed to neutron.
I filed bug 1529262 against api-site and will remove api-site from the affected project of this bug.

no longer affects: openstack-api-site
Changed in neutron:
assignee: Yu Fukuyama (piano-cajon) → Akihiro Motoki (amotoki)
Akihiro Motoki (amotoki)
Changed in neutron:
assignee: Akihiro Motoki (amotoki) → Yu Fukuyama (piano-cajon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/260323
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6659a935589bf0e4ab57616c256b94f77d2ef107
Submitter: Jenkins
Branch: master

commit 6659a935589bf0e4ab57616c256b94f77d2ef107
Author: Yu Fukuyama <email address hidden>
Date: Tue Dec 22 05:17:30 2015 +0000

    Fix meter label rule creation

    In the case of outbound traffic, set remote_ip to dst.
    In the case of inbound traffic, set remote_ip to src.

    Change-Id: I7f27b93efa67baf3efccaa94f6a1337d6886e230
    Closes-Bug: #1528137
    DocImpact: Clarify remote_ip_prefix description of metering label rule in API site

Changed in neutron:
status: In Progress → Fix Released
Akihiro Motoki (amotoki)
tags: added: liberty-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/267381

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0b2

This issue was fixed in the openstack/neutron 8.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/liberty)

Change abandoned by Yu Fukuyama (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/267381
Reason: it changes behaviour and may break existing labels.

tags: removed: liberty-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.