← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1421772] [NEW] neutron-openvswitch-agent says Tried to generate an ipset iptable rule for a security group rule even in normal operation

 

Public bug reported:

Lot's of messages like those ones can be seen in normal operation:

2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.

The logic of this log message is broken, and should be removed.

Because, we can actually generate an iptable rule referencing a set which doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in which case 
iptables-restore would fail, and that's ok enough.

I will submit a patch to remove the message logic.

** Affects: neutron
     Importance: Undecided
     Assignee: Miguel Angel Ajo (mangelajo)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1421772

Title:
  neutron-openvswitch-agent says  Tried to generate an ipset iptable
  rule for a security group rule  even in normal operation

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Lot's of messages like those ones can be seen in normal operation:

  2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
  2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
  2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall [req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction': u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'}) referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.

  The logic of this log message is broken, and should be removed.

  Because, we can actually generate an iptable rule referencing a set which doesn't exist yet,
  as long as we don't try to push the iptables before creating the sets, in which case 
  iptables-restore would fail, and that's ok enough.

  I will submit a patch to remove the message logic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1421772/+subscriptions


Follow ups

References