neutron

snat random-fully supported with iptables 1.6.0

Bug #1951564 reported by Maximilian Stinsky on 2021-11-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Unassigned

Bug Description

With the following report https://bugs.launchpad.net/neutron/+bug/1814002 neutron was set to create SNAT rules with the --random-fully flag.

This is only getting applied with iptables 1.6.2 through a version check on the neutorn-l3-agent start.
--random-fully is already supported since iptables 1.6.0 for SNAT rules. 1.6.2 is only required for MASQUERADE.

As far as I can see neutron is only setting SNAT rules so it would be reasonable to decrease the version check to 1.6.0 - this would enable --random-fully for more deployments as ubuntu bionic for example only ships with iptables 1.6.1.

Hongbin Lu (hongbin.lu) on 2021-11-19

Changed in neutron:
status:	New → Confirmed

Hongbin Lu (hongbin.lu) on 2021-11-21

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2021-11-25:

Seems like really there's some support from 1.6.0:
https://www.netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
Thanks

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-21: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/822562

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-28: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/822562
Committed: https://opendev.org/openstack/neutron/commit/5e62eac7a97a251ab3f2330d65950a4b9e2a33cf
Submitter: "Zuul (22348)"
Branch: master

commit 5e62eac7a97a251ab3f2330d65950a4b9e2a33cf
Author: Maximilian Stinsky <email address hidden>
Date: Tue Dec 21 22:31:18 2021 +0100

Reduce iptables version check from 1.6.2 to 1.6.0

    The check is required to check if --random-fully can be used.
    Neutron is only using MASQUERADE rules which --random-fully supports
    since version 1.6.0.

Closes-Bug: #1951564
Change-Id: I4d9a2f7d396d6cc8c958f5be635c2d3236e3fe4f

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-10: Fix included in openstack/neutron 20.0.0.0rc1

This issue was fixed in the openstack/neutron 20.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.