yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1565534] [NEW] Metering agent reverses iptable's NAT rules in POSTROUTING chain if starts after l3 agent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Q.Tian" <tianquan23@xxxxxxxxx>
Date: Sun, 03 Apr 2016 19:28:28 -0000
Reply-to: Bug 1565534 <1565534@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Metering agent reverses iptable's NAT rules in POSTROUTING chain in
qrouter namespace if starts after l3 agent. The neutron-postrouting-
bottom chain is prior to the neutron-l3-agent-POSTROUTING
chain，resulting in that east-west network traffic has been address
translated.

Pre-condition:
- enable metering agent and config it using driver "neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver"
- enable l3 agent.
- two tenant networks and one external network.

How to reproduce:
- create one router, connect two subnets in the above networks to the router, set the external network as the router's gateway.
- create two instances: ins-A and ins-B. ins-A join one tenant network and ins-B join the other one.
- associate an floating ip to ins-A.
- restart metering agent.
- ping ins-B's fixed ip from ins-A.
- capture icmp packets in ins-B and you will receive packets whose source ip is the floating ip of ins-A.
- see iptable's nat rule and you will find the neutron-postrouting-bottom chain is prior to the neutron-l3-agent-POSTROUTING chain:
sudo ip netns exec qrouter-ROUTER-ID iptables-save -t nat
...
-A POSTROUTING -j neutron-meter-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
...

Expected behavior:
- east-west network traffic should not been address translated. ins-B should receive packets whose source ip is the fixed ip of ins-A.
- the neutron-l3-agent-POSTROUTING chain should be prior to the neutron-postrouting-bottom chain.

Affected versions:

- I saw the issue into OpenStack Kilo, under Ubuntu 14.04. But according
to the upstream code, the issue is still present into the master branch,
into; neutron/agent/linux/iptables_manager.py, into function
IptablesManager._modify_rules:

our_chains_and_rules = our_chains + our_top_rules + our_bottom_rules

# locate the position immediately after the existing chains to insert
# our chains and rules
rules_index = self._find_rules_index(new_filter)
new_filter[rules_index:rules_index] = our_chains_and_rules

** Affects: neutron
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1565534

Title:
Metering agent reverses iptable's NAT rules in POSTROUTING chain if
starts after l3 agent

Status in neutron:
New

Bug description:
Metering agent reverses iptable's NAT rules in POSTROUTING chain in
qrouter namespace if starts after l3 agent. The neutron-postrouting-
bottom chain is prior to the neutron-l3-agent-POSTROUTING
chain，resulting in that east-west network traffic has been address
translated.

Affected versions:

- I saw the issue into OpenStack Kilo, under Ubuntu 14.04. But
according to the upstream code, the issue is still present into the
master branch, into; neutron/agent/linux/iptables_manager.py, into
function IptablesManager._modify_rules:

our_chains_and_rules = our_chains + our_top_rules +
our_bottom_rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1565534/+subscriptions

Follow ups

[Bug 1565534] Re: Metering agent reverses iptable's NAT rules in POSTROUTING chain if starts after l3 agent
From: Akihiro Motoki, 2016-04-04