← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #48916

[Bug 1565705] [NEW] iptables duplicate rule warning on ports with multiple security groups

  Thread PreviousDate PreviousThread Next 
Public bug reported:

If ports are members of multiple security groups, there may be duplicate
rules when it comes time to convert them to iptables rules (e.g. both
groups have a rule to allow TCP port 80). This results in warnings from
the iptables manager detecting duplicate rules that hint that there may
be a bug.

For example:

WARNING neutron.agent.linux.iptables_manager [req-
944a9996-062b-4588-9536-d5df779da344 - -] Duplicate iptables rule
detected. This may indicate a bug in the the iptables rule generation
code. Line: -A neutron-openvswi-oe4186b39-0 -j RETURN


This warning resulted from a port that was a member of two security groups that both allowed all EGRESS traffic.

** Affects: neutron
     Importance: Undecided
     Assignee: Kevin Benton (kevinbenton)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Kevin Benton (kevinbenton)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1565705

Title:
  iptables duplicate rule warning on ports with multiple security groups

Status in neutron:
  New

Bug description:
  If ports are members of multiple security groups, there may be
  duplicate rules when it comes time to convert them to iptables rules
  (e.g. both groups have a rule to allow TCP port 80). This results in
  warnings from the iptables manager detecting duplicate rules that hint
  that there may be a bug.

  For example:

  WARNING neutron.agent.linux.iptables_manager [req-
  944a9996-062b-4588-9536-d5df779da344 - -] Duplicate iptables rule
  detected. This may indicate a bug in the the iptables rule generation
  code. Line: -A neutron-openvswi-oe4186b39-0 -j RETURN

  
  This warning resulted from a port that was a member of two security groups that both allowed all EGRESS traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1565705/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next