yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1502917] Re: iptables rule generation doesn't match prefixes of /0, /32 and /128 correctly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Dec 2015 21:06:33 -0000
Reply-to: Bug 1502917 <1502917@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502917

Title:
  iptables rule generation doesn't match prefixes of /0, /32 and /128
  correctly

Status in neutron:
  Fix Released

Bug description:
  We currently generate single host rules as just the IP address and /0
  rules for any address (for source and destination matching criteria).
  This is compatible with the input of iptables but it's not the way the
  rules are represented by iptables when they come back.

  Iptables eliminates the /0 rules completely because they aren't a
  filtering criteria and it converts single IPs into /32 or /128
  depending on IP version.

  We need to generate the rules in the same fashion so the counter
  matching code can find them and not destroy the counters on every
  update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502917/+subscriptions

References

[Bug 1502917] [NEW] iptables rule generation doesn't match prefixes of /0, /32 and /128 correctly
From: Kevin Benton, 2015-10-05