OpenStack Compute (nova)

nova-network fails to ensure iptable rules if none exists

Bug #1107214 reported by Francois Eleouet
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
New
Undecided
Unassigned

Bug Description

This bug was introduced by commit f0539d49271df76222740f76d1b51188ee51a1c3

If some iptables tables doesn't contains any rule, IptablesManager fails to apply rules in linux_net.py.

When no rules are present in a table, it is omitted in iptable-save output. "_find_table" will consequently fail, resulting in error while attempting to push inconsistent rules with iptables-restore.

Revision history for this message
Francois Eleouet (fanchon) wrote :

Actually, previous description was inacurate: iptables-save won't output information about a specific table if the corresponding kernel module isn't loaded.

Running any iptable operation on a table will load the corresponding module and make it appear in iptable-save output.

Flushing a table and removing the correspoding kernel module will remove it from iptable-save output, so that IptablesManager will fail to apend a rule in the corresponding table.

Revision history for this message
Ionuț Arțăriși (mapleoin) wrote :

I ran into the same problem, but I'm not sure what the correct fix is. It sounds like the correct behavior is to just run iptables -c -t for each table explicitly (like before the commit above) rather than skipping over tables that don't appear in the iptables -c output?

Regardless, the except ValueError: branch in the _find_table method should be removed. That's what's currently masking this problem. Having special cases in application code only to deal with tests is bad practice.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.