l3 iptables floating IP rules don't match iptables rules
Bug #1566007 reported by
Kevin Benton
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Brian Haley |
Bug Description
The floating IP translation rules generated by the l3 agent do not match the format in which they are returned by iptables. This causes the iptables diffing code to think they are different and replace every one of them on an iptables apply call, which is very expensive.
See https:/
Changed in neutron: | |
assignee: | nobody → Kevin Benton (kevinbenton) |
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
assignee: | Kevin Benton (kevinbenton) → Brian Haley (brian-haley) |
Changed in neutron: | |
importance: | Undecided → Medium |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/301335 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=b8d520ffe2a fbffe26b554bff5 5165531e36e758
Committed: https:/
Submitter: Jenkins
Branch: master
commit b8d520ffe2afbff e26b554bff55165 531e36e758
Author: Kevin Benton <email address hidden>
Date: Fri Apr 1 02:42:54 2016 -0700
L3 agent: match format used by iptables
This fixes the iptables rules generated by the L3 agent
(SNAT, DNAT, set-mark and metadata), and the DHCP agent
(checksum-fill) to match the format that will be returned
by iptables-save to prevent excessive extra replacement
work done by the iptables manager.
It also fixes the iptables test that was not passing the
expected arguments (-p PROTO -m PROTO) for block rules.
A simple test was added to the L3 agent to ensure that the
rules have converged during the normal lifecycle tests.
Closes-Bug: #1566007 48011881614671e fe53bb1b6a1
Change-Id: I5e8e27cdbf0d04