neutron

Neutron duplicated provider rule for ICMPv6 Router Advertisements

Bug #1708465 reported by Maciej Jozefczyk
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Slawek Kaplonski

Bug Description

Change https://review.openstack.org/#/c/432506/ introduced new way of providing provider rules to sg agent. ICMPv6 RA rule generation has been moved to neutron/db/securitygroups_rpc_base.py, but its not removed from neutron/agent/linux/iptables_firewall.py.

In result each time we update SG rule in neutron logs there is a warning about rules duplication:

2017-08-03 10:41:12.873 28184 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-openvswi-PREROUTING -i gwbf6069f7-2cc -j CT

=== How to reproduce ===
1. Spawn devstack.
2. Boot VM
3. Add new rule to SG which this VM uses.
4. Observe neutron-openvswitch-agent logs.

=== Environment ===
Upstream master devstack.

Maciej Jozefczyk (maciejjozefczyk)
Changed in neutron:
assignee: nobody → Maciej Jozefczyk (maciej.jozefczyk)
Maciej Jozefczyk (maciejjozefczyk)
Changed in neutron:
status: New → In Progress
Maciej Jozefczyk (maciejjozefczyk)
Changed in neutron:
assignee: Maciej Jozefczyk (maciej.jozefczyk) → nobody
status: In Progress → New
Slawek Kaplonski (slaweq)
Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Boden R (boden)
Changed in neutron:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/503779

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/503779
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0dcf3d20c2e5c2592e9674e7277acce4eff98341
Submitter: Jenkins
Branch: master

commit 0dcf3d20c2e5c2592e9674e7277acce4eff98341
Author: Sławek Kapłoński <email address hidden>
Date: Wed Sep 13 17:24:03 2017 +0000

    Remove duplicated ICMPv6 RA rule from iptables firewall

    Change Ibfbf011284cbde396f74db9d982993f994082731 moves
    generation of ICMPv6 RA rule from being hardcoded
    in iptables_firewall to being generated on server
    side and passed to agent.

    Unfortunatelly it wasn't removed from iptables_firewall
    and it was still added to rules which should be applied
    by firewall driver.
    That caused issue with warning message about duplicated rule.
    detected

    This patch removes this hardcoded rule to stop logging messages
    about duplicated rules.

    Change-Id: Ic5e95405d4dd8ffbe8ec5b053aed257aec91b1c8
    Closes-Bug: #1708465

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/504550

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/504550
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=157c5c261d95e40f2916f0cb91f3d529f2490457
Submitter: Jenkins
Branch: stable/pike

commit 157c5c261d95e40f2916f0cb91f3d529f2490457
Author: Sławek Kapłoński <email address hidden>
Date: Wed Sep 13 17:24:03 2017 +0000

    Remove duplicated ICMPv6 RA rule from iptables firewall

    Change Ibfbf011284cbde396f74db9d982993f994082731 moves
    generation of ICMPv6 RA rule from being hardcoded
    in iptables_firewall to being generated on server
    side and passed to agent.

    Unfortunatelly it wasn't removed from iptables_firewall
    and it was still added to rules which should be applied
    by firewall driver.
    That caused issue with warning message about duplicated rule.
    detected

    This patch removes this hardcoded rule to stop logging messages
    about duplicated rules.

    Change-Id: Ic5e95405d4dd8ffbe8ec5b053aed257aec91b1c8
    Closes-Bug: #1708465
    (cherry picked from commit 0dcf3d20c2e5c2592e9674e7277acce4eff98341)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.1

This issue was fixed in the openstack/neutron 11.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.