neutron

FWaaS rules lost on l3 agent restart

Bug #1973035 reported by Andy Gomez on 2022-05-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	Unassigned

Bug Description

Iptables rules are lost in router namespace on restart of l3 agent.

Rules before restating L3 agent
ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-accepted
-N neutron-l3-agent-dropped
-N neutron-l3-agent-fwaas-defau
-N neutron-l3-agent-iv4d0588aa2
-N neutron-l3-agent-local
-N neutron-l3-agent-ov4d0588aa2
-N neutron-l3-agent-rejected
-N neutron-l3-agent-scope
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-iv4d0588aa2
-A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-ov4d0588aa2
-A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-accepted -j ACCEPT
-A neutron-l3-agent-dropped -j DROP
-A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-iv4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv4d0588aa2 -p tcp -m tcp --dport 22 -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov4d0588aa2 -p icmp -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p tcp -m tcp --dport 53 -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p udp -m udp --dport 53 -j neutron-l3-agent-accepted
-A neutron-l3-agent-ov4d0588aa2 -d 10.0.0.0/8 -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4d0588aa2 -d 172.16.0.0/12 -j neutron-l3-agent-dropped
-A neutron-l3-agent-ov4d0588aa2 -d 192.168.0.0/16 -j neutron-l3-agent-dropped
-A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
-A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP

Rules after restart.

ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-local
-N neutron-l3-agent-scope
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP

Name: neutron-fwaas
Version: 16.0.1.dev3
Summary: OpenStack Networking FWaaS
Home-page: https://docs.openstack.org/neutron-fwaas/latest/
Author: OpenStack
Author-email: <email address hidden>
License: UNKNOWN
Location: /openstack/venvs/neutron-21.2.9/lib/python3.8/site-packages
Requires: neutron-lib, neutron, eventlet, oslo.config, pyroute2, os-ken, netaddr, six, oslo.db, oslo.log, oslo.utils, oslo.privsep, pyzmq, pbr, alembic, SQLAlchemy, oslo.messaging, oslo.service
Required-by:

Tags:

Revision history for this message

Andy Gomez (agomerz) wrote on 2022-05-11:

Determined this was caused by not setting the fwaas_v2 extension in the linuxbridge agent

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2022-05-16:

I set it to invalid as if I understand the issue was in your config, please open it again if you see more issues.

tags:	added: fwaas
Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.