← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1566007] Re: l3 iptables floating IP rules don't match iptables rules

 

Reviewed:  https://review.openstack.org/301335
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b8d520ffe2afbffe26b554bff55165531e36e758
Submitter: Jenkins
Branch:    master

commit b8d520ffe2afbffe26b554bff55165531e36e758
Author: Kevin Benton <kevin@xxxxxxxxxx>
Date:   Fri Apr 1 02:42:54 2016 -0700

    L3 agent: match format used by iptables
    
    This fixes the iptables rules generated by the L3 agent
    (SNAT, DNAT, set-mark and metadata), and the DHCP agent
    (checksum-fill) to match the format that will be returned
    by iptables-save to prevent excessive extra replacement
    work done by the iptables manager.
    
    It also fixes the iptables test that was not passing the
    expected arguments (-p PROTO -m PROTO) for block rules.
    
    A simple test was added to the L3 agent to ensure that the
    rules have converged during the normal lifecycle tests.
    
    Closes-Bug: #1566007
    Change-Id: I5e8e27cdbf0d0448011881614671efe53bb1b6a1


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1566007

Title:
  l3 iptables floating IP rules don't match iptables rules

Status in neutron:
  Fix Released

Bug description:
  The floating IP translation rules generated by the l3 agent do not
  match the format in which they are returned by iptables. This causes
  the iptables diffing code to think they are different and replace
  every one of them on an iptables apply call, which is very expensive.

  See https://gist.github.com/busterswt/479e4e5484df7e91017da48b38fa5814
  for an example diff.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1566007/+subscriptions


References