neutron

iptables manager wrongly deletes other agents' rules

Bug #1664782 reported by Nell Jerram
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Undecided
Unassigned

Bug Description

Calico's Felix agent generates iptables chains that intentionally
include rules that the Neutron iptables_manager code considers to be
duplicates - as revealed by logs like these from the DHCP agent:

2017-02-02 18:50:29.482 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN

IIUC, iptables_manager then reprograms iptables with these 'duplicates'
removed, and thereby breaks Calico's iptables.

Tags: sg-fw
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → Neil Jerram (neil-jerram)
status: New → In Progress
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

If I recall correctly this behavior is considered buggy by neutron. Better to check with Kevin before diving in a fix campaign.

http://git.openstack.org/cgit/openstack/neutron/tree/neutron/agent/linux/iptables_manager.py#n620

tags: added: sg-fw
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

That aside, without a level of coordination, it's only natural to expect the neutron agent to wipe unrecognized rules

Revision history for this message
Nell Jerram (neil-jerram) wrote :

Hey Armando - I should record that there is already some discussion of this between Kevin and me in https://review.openstack.org/#/c/428764/. (Unfortunately I did things the wrong way round: patch first, and this bug later. But from now on that will hopefully be rectified.)

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Excellent! I appreciate the feedback.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Neil Jerram (<email address hidden>) on branch: master
Review: https://review.openstack.org/428764

Nell Jerram (neil-jerram)
Changed in neutron:
assignee: Neil Jerram (neil-jerram) → nobody
Brian Haley (brian-haley)
Changed in neutron:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.