yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1502906] Re: fallback accept rule in iptables is added after every port

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Dec 2015 21:06:30 -0000
Reply-to: Bug 1502906 <1502906@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502906

Title:
  fallback accept rule in iptables is added after every port

Status in neutron:
  Fix Released

Bug description:
  the fallback accept rule in the iptables rule generation is added
  after every port. This would normally break the filtering since none
  of the ports would make it beyond the ACCEPT, but we have duplicate
  rule removal logic that just happens to get rid of the extras right
  before they are applied.[1]

  Fortunately this is not user-impacting bug right now (by accident),
  but it is a performance waste and a bug waiting to happen.

  1.
  https://github.com/openstack/neutron/blob/e805d7a73a30ebaf194326e1de56cebb04137274/neutron/agent/linux/iptables_manager.py#L640

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502906/+subscriptions

References

[Bug 1502906] [NEW] fallback accept rule in iptables is added after every port
From: Kevin Benton, 2015-10-05