yahoo-eng-team team mailing list archive

[Kevin Benton <1502906@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

the fallback accept rule in the iptables rule generation is added after
every port. This would normally break the filtering since none of the
ports would make it beyond the ACCEPT, but we have duplicate rule
removal logic that just happens to get rid of the extras right before
they are applied.[1]

Fortunately this is not user-impacting bug right now (by accident), but
it is a performance waste and a bug waiting to happen.

1.
https://github.com/openstack/neutron/blob/e805d7a73a30ebaf194326e1de56cebb04137274/neutron/agent/linux/iptables_manager.py#L640

** Affects: neutron
     Importance: Undecided
     Assignee: Kevin Benton (kevinbenton)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Kevin Benton (kevinbenton)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502906

Title:
  fallback accept rule in iptables is added after every port

Status in neutron:
  New

Bug description:
  the fallback accept rule in the iptables rule generation is added
  after every port. This would normally break the filtering since none
  of the ports would make it beyond the ACCEPT, but we have duplicate
  rule removal logic that just happens to get rid of the extras right
  before they are applied.[1]

  Fortunately this is not user-impacting bug right now (by accident),
  but it is a performance waste and a bug waiting to happen.

  1.
  https://github.com/openstack/neutron/blob/e805d7a73a30ebaf194326e1de56cebb04137274/neutron/agent/linux/iptables_manager.py#L640

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502906/+subscriptions