yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1544508] [NEW] neutron-meter-agent - makes traffic between internal networks NATed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dmitry Sutyagin <dsutyagin@xxxxxxxxxxxx>
Date: Thu, 11 Feb 2016 11:19:24 -0000
Reply-to: Bug 1544508 <1544508@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If neutron-meter-agent is installed and enabled, and a meter-label is
created, all traffic between internal networks becomes NATed, which is
unexpected and potentially causes firewall/routing issues. This happens
because meter-agent does not define stateless flag during iptables
initialization which later during _modify_rules in
agent/linux/iptables_manager.py results in moving the following rules:

before:
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom

after:
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j neutron-l3-agent-POSTROUTING

The attached patch fixes the issue by setting "state_less=True" for
metering agent's iptables_manager.

** Affects: neutron
     Importance: Undecided
         Status: New

** Patch added: "fix_metering_agent_nat.patch"
   https://bugs.launchpad.net/bugs/1544508/+attachment/4569216/+files/fix_metering_agent_nat.patch

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1544508

Title:
  neutron-meter-agent - makes traffic between internal networks NATed

Status in neutron:
  New

Bug description:
  If neutron-meter-agent is installed and enabled, and a meter-label is
  created, all traffic between internal networks becomes NATed, which is
  unexpected and potentially causes firewall/routing issues. This
  happens because meter-agent does not define stateless flag during
  iptables initialization which later during _modify_rules in
  agent/linux/iptables_manager.py results in moving the following rules:

  before:
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING
  -A POSTROUTING -j neutron-postrouting-bottom

  after:
  -A POSTROUTING -j neutron-postrouting-bottom
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING

  The attached patch fixes the issue by setting "state_less=True" for
  metering agent's iptables_manager.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1544508/+subscriptions

Follow ups

[Bug 1544508] Re: neutron-meter-agent - makes traffic between internal networks NATed
From: OpenStack Infra, 2016-04-01