OVS firewall should drop iptables rules if it detects a bridge

Bug #1721895 reported by Kevin Benton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Jakub Libosvar

Bug Description

When a user switches from the hybrid firewall to the OVS native firewall the iptables rules will be left behind on the filtering bridge. Since removing the bridge would require difficult coordination with Nova and it would be disruptive to traffic, that is currently not a viable approach.

To make the transition easier, the OVS firewall should at least detect when one of its VM ports contains a filtering bridge and drop all of the iptables rules on it so we don't have stale rules interfering with the traffic.

Changed in neutron:
assignee: nobody → Jakub Libosvar (libosvar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/510628

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/510628
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9d74de162a2dd7bf5c2df59ccf9ff812f8e46387
Submitter: Jenkins
Branch: master

commit 9d74de162a2dd7bf5c2df59ccf9ff812f8e46387
Author: Jakub Libosvar <email address hidden>
Date: Mon Oct 9 15:33:32 2017 +0000

    ovs-fw: Remove iptables rules on hybrid ports

    ovs-firewall now scans ports on its bridge and stores those that have
    prefix 'qvo', which means such ports use hybrid plugging. Because
    ovs-agent makes a full-sync when it's started, all ports that reside on
    the node are passed to firewall driver to refresh firewall, a new helper
    was added.

    In case the initial scan noticed hybrid plugged, an iptables firewall
    driver is instantiated and each port is passed down to helper that
    removes iptables rules for given port.

    Once all ports are processed, a mark is added to ovsdb to avoid cleaning
    iptables in the future. That means next time ovs-agent is started
    iptables firewall will not be instantiated.

    NOTE: Fullstack tests are a great candidate to cover the migration but
          I'll leave it as TODO after we stabilize fullstack tests.

    Closes-bug: #1721895

    Change-Id: I662c310133a089bf29b734c539e57a8cff923074

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/518332
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c135c5672a2b34a371693fb1222acde17bdd28a4
Submitter: Zuul
Branch: master

commit c135c5672a2b34a371693fb1222acde17bdd28a4
Author: david shaughnessy <email address hidden>
Date: Tue Nov 7 13:25:13 2017 +0000

    broken HybridIptablesHelper function override

    When creating the hybrid firewall helper class the
    _remove_conntrack_entries_from_port_deleted function is
    overloaded, when overloaded it does not have a "self" parameter
    and fails when it's called by the neutron agent.

    This patch adds in the self parameter and adds a test to
    ensure it is correctly overloaded.

    Related-bug: 1721895

    Change-Id: Ifc6c8510f70e9336fbf626db8bbacf206ad0d08c

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.