neutron

Iptables rules for unbound ports removed during agent sync

Bug #1826066 reported by Dmitry Kudyukin
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

Hi.

Using Octavia and Neutron DVR-HA scheme looks like got a problem with iptables rules in SNAT namespaces. During initial create Octavia LBaaS, there is also creating such iptables forward rules:

# ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-OUTPUT -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat
# ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-PREROUTING -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat

And traffic goes well, but after full resync l3 agent on the network node, this rules are disappears from namespaces and never goes back, until recreated manually. After creating this rule in router namespaces, the traffic goes well.

After short investigation of this issue, looks like something missed in creating rules for unbound neutron ports.

Revision history for this message
Boden R (boden) wrote :

A few questions to help clarify things if you don't mind:

- What version of openstack are you running?
- Is it easy enough to recreate this using devstack?
- Are there any relevant log snippets from the agents and/or other services?

Revision history for this message
Brian Haley (brian-haley) wrote :

And it looks like the output you are running the vpn-agent? Does this happen if you just run the regular l3-agent?

Boden R (boden)
Changed in neutron:
status: New → Incomplete
Revision history for this message
SFilatov (sergeyfilatov) wrote :

1. This is openstack ocata version(with some additional patches from latest neutron version)
2. I haven't tried yet though it looks like it's easy enough
3. I'll try to reproduce and get some logs later

Concerning vpn agent question - this only reproduces on network nodes with dvr, so octavia fips lose rules as well

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.