Iptables rules for unbound ports removed during agent sync
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi.
Using Octavia and Neutron DVR-HA scheme looks like got a problem with iptables rules in SNAT namespaces. During initial create Octavia LBaaS, there is also creating such iptables forward rules:
# ip netns exec snat-7fd10a01-
# ip netns exec snat-7fd10a01-
And traffic goes well, but after full resync l3 agent on the network node, this rules are disappears from namespaces and never goes back, until recreated manually. After creating this rule in router namespaces, the traffic goes well.
After short investigation of this issue, looks like something missed in creating rules for unbound neutron ports.
Changed in neutron: | |
status: | New → Incomplete |
A few questions to help clarify things if you don't mind:
- What version of openstack are you running?
- Is it easy enough to recreate this using devstack?
- Are there any relevant log snippets from the agents and/or other services?