← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #49037

[Bug 1565705] Re: iptables duplicate rule warning on ports with multiple security groups

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/301029
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=142b68f0757ab036d56bc9b4563b7a4481527deb
Submitter: Jenkins
Branch:    master

commit 142b68f0757ab036d56bc9b4563b7a4481527deb
Author: Kevin Benton <kevin@xxxxxxxxxx>
Date:   Fri Apr 1 01:53:10 2016 -0700

    De-dup user-defined SG rules before iptables call
    
    A port may be a member of multiple security groups. These
    security groups may have dupilcate rules between them
    (e.g. they both allow all EGRESS traffic). If the iptables
    manager is called with duplicated rules, it emits a warning
    of a possible bug in the rule generation code because it
    doesn't expect there to be duplicated rules.
    
    This patch fixes this by de-duplicating user-defined security group
    rules before dispatching the calls to the iptables_manager.
    
    Change-Id: I98dbe60df1bcf68b9922deee63dd0328c4c10dd0
    Closes-Bug: #1565705


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1565705

Title:
  iptables duplicate rule warning on ports with multiple security groups

Status in neutron:
  Fix Released

Bug description:
  If ports are members of multiple security groups, there may be
  duplicate rules when it comes time to convert them to iptables rules
  (e.g. both groups have a rule to allow TCP port 80). This results in
  warnings from the iptables manager detecting duplicate rules that hint
  that there may be a bug.

  For example:

  WARNING neutron.agent.linux.iptables_manager [req-
  944a9996-062b-4588-9536-d5df779da344 - -] Duplicate iptables rule
  detected. This may indicate a bug in the the iptables rule generation
  code. Line: -A neutron-openvswi-oe4186b39-0 -j RETURN

  
  This warning resulted from a port that was a member of two security groups that both allowed all EGRESS traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1565705/+subscriptions

References

  Thread PreviousDate PreviousThread Next