← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #48912

[Bug 1565534] Re: Metering agent reverses iptable's NAT rules in POSTROUTING chain if starts after l3 agent

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1544508 ***
    https://bugs.launchpad.net/bugs/1544508

** This bug has been marked a duplicate of bug 1544508
   neutron-meter-agent - makes traffic between internal networks NATed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1565534

Title:
  Metering agent reverses iptable's NAT rules in POSTROUTING chain if
  starts after l3 agent

Status in neutron:
  New

Bug description:
  Metering agent reverses iptable's NAT rules in POSTROUTING chain in
  qrouter namespace if starts after l3 agent. The neutron-postrouting-
  bottom chain is prior to the neutron-l3-agent-POSTROUTING
  chain,resulting in that east-west network traffic has been address
  translated.

  Pre-condition:
  - enable metering agent and config it using driver "neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver"
  - enable l3 agent.
  - two tenant networks and one external network.

  How to reproduce:
  - create one router, connect two subnets in the above networks to the router, set the external network as the router's gateway.
  - create two instances: ins-A and ins-B. ins-A join one tenant network and ins-B join the other one.
  - associate an floating ip to ins-A.
  - restart metering agent.
  - ping ins-B's fixed ip from ins-A. 
  - capture icmp packets in ins-B and you will receive packets whose source ip is the floating ip of ins-A.
  - see iptable's nat rule and you will find the neutron-postrouting-bottom chain is prior to the neutron-l3-agent-POSTROUTING chain:
  sudo ip netns exec qrouter-ROUTER-ID iptables-save -t nat
  ...
  -A POSTROUTING -j neutron-meter-POSTROUTING
  -A POSTROUTING -j neutron-postrouting-bottom
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING
  ...

  Expected behavior:
  - east-west network traffic should not been address translated. ins-B should receive packets whose source ip is the fixed ip of ins-A. 
  - the neutron-l3-agent-POSTROUTING chain should be prior to the neutron-postrouting-bottom chain.

  Affected versions:

  - I saw the issue into OpenStack Kilo, under Ubuntu 14.04. But
  according to the upstream code, the issue is still present into the
  master branch, into; neutron/agent/linux/iptables_manager.py, into
  function IptablesManager._modify_rules:

      our_chains_and_rules = our_chains + our_top_rules +
  our_bottom_rules

      # locate the position immediately after the existing chains to insert
      # our chains and rules
      rules_index = self._find_rules_index(new_filter)
      new_filter[rules_index:rules_index] = our_chains_and_rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1565534/+subscriptions

References

  Thread PreviousDate PreviousThread Next