yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1159898] Re: Duplicate rules allowed in IPTablesManager

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Salvatore Orlando <1159898@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Jan 2014 19:32:13 -0000
Reply-to: Bug 1159898 <1159898@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It was decided to leave the ip tables manager as it is.

** Changed in: neutron
       Status: Incomplete => Won't Fix

** Changed in: neutron
     Assignee: Salvatore Orlando (salvatore-orlando) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1159898

Title:
  Duplicate rules allowed in IPTablesManager

Status in OpenStack Neutron (virtual network service):
  Won't Fix

Bug description:
  The current implementation of the IPTables manager does not check
  whether a rule already exists before adding it.

  A consequence of this is that the l3 agent in some cases ends up
  adding SNAT rules twice. While this has no immediate effect, a problem
  arises when the external gateway is removed, as only one occurrence of
  such SNAT rules is removed; therefore the SNAT rule is still in place.

  This bug can be deterministically reproduced as follows:

  - create a router, add a router interface, and set the external network
  - check ip netns exec qrouter-<router_id> iptables -nt nat --list 
     * The SNAT rule for the router interface is there
  - restart l3 agent
  - check ip netns exec qrouter-<router_id> iptables -nt nat --list 
     * The SNAT rule is still there
  - clear the gateway for the router
  - check ip netns exec qrouter-<router_id> iptables -nt nat --list 
     * The SNAT rule is still there, and probably it should not have been there

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1159898/+subscriptions