neutron

IPtables firewall code sometimes tries to remove non-existent rules

Bug #1765208 reported by Brian Haley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Brian Haley

Bug Description

I've seen errors like this in some of the OVS agent logs recently:

WARNING neutron.agent.linux.iptables_manager [None req-61600016-733c-44f2-a96c-d9f62b7e049c None None] Tried to remove rule that was not there: 'PREROUTING' u'-m physdev --physdev-in brq0b54770c-65 -m comment --comment "Set zone for 43bcf43-ba" -j CT --zone 4101' True False
(there's usually 5 more similar lines)

Looking into it, the line right before we had allocated a conntrack zone:

DEBUG neutron.agent.linux.ip_conntrack [None req-61600016-733c-44f2-a96c-d9f62b7e049c None None] Assigned CT zone 4101 to device 0b54770c-65

So we allocate a zone and immediately try and remove some iptables rules associated with it, but they won't exist since the zone was just allocated. Instead, we should return early if there was no zone - the caller in question is _remove_conntrack_jump(), which is being called when we're removing a set of chains./lin

Tags: sg-fw
Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

http://logs.openstack.org/73/351773/17/check/neutron-tempest-linuxbridge/73755f3/logs/screen-q-agt.txt#_Apr_18_02_27_08_591035

Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

does it have any ill effects? or just annoying warnings?

Changed in neutron:
status: New → Incomplete
Revision history for this message
Brian Haley (brian-haley) wrote :

Sorry, somehow your questions went to my Spam folder :(

It is just annoying warning, and I have a change I was going to propose as well.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/563730

Changed in neutron:
status: Incomplete → In Progress
YAMAMOTO Takashi (yamamoto)
Changed in neutron:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/563730
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dbed642c4ca93e77dc53d8aac9086ab2e60ebaa9
Submitter: Zuul
Branch: master

commit dbed642c4ca93e77dc53d8aac9086ab2e60ebaa9
Author: Brian Haley <email address hidden>
Date: Mon Apr 23 14:24:13 2018 -0400

    Do not remove conntrack jump rules if no zone

    In corner cases, the firewall code could try and remove
    non-existent conntrack zone jump rules if a zone has never
    been allocated. This could happen on an agent restart
    when there are no longer ports in the zone on the
    compute node. Skip the removal since it will just generate
    an iptables warning complaining the existing rule does
    not exist.

    Change-Id: Ie32733b4a06b6d75cf1eb78915a510a4bb78f619
    Closes-bug: #1765208

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.0.0b2

This issue was fixed in the openstack/neutron 13.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.