yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1549513] Re: Feature specific code should be moved out of iptables_manager

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1549513@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 May 2016 21:59:44 -0000
Reply-to: Bug 1549513 <1549513@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/288828
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=24f95f4877a72176be2bbe57120306ef5a847297
Submitter: Jenkins
Branch:    master

commit 24f95f4877a72176be2bbe57120306ef5a847297
Author: Hong Hui Xiao <xiaohhui@xxxxxxxxxx>
Date:   Sat Mar 5 00:58:08 2016 +0000

    Move address scope specific code out of iptables_manager
    
    iptables_manager will be used by many features including security
    groups, FWaaS, metering. The address scope specific code should be
    moved out of iptables_manager, so that other feature will not get
    the iptables rules that they will not use. For example, dhcp namespace
    will not have the address scope iptables rules.
    
    The change to the test code to adapt the change at [1], has also been
    reverted in this patch. Instead, a couple of new test cases are added.
    
    [1] https://review.openstack.org/#/c/270001/
    
    Change-Id: Ifc8e7a381f8ab005a9e0216532cc7d0e7378c025
    Closes-Bug: #1549513


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1549513

Title:
  Feature specific code should be moved out of iptables_manager

Status in neutron:
  Fix Released

Bug description:
  In neutron/agent/linux/iptables_manager.py, wrapped chains and rules
  specific to the address scope feature were added to __init__, lines
  393 to 434 as part of https://review.openstack.org/#/c/270001/.

  These chains and rules should be moved out of iptables_manager.py,
  since iptables_manager.py is used by many features including security
  groups, FWaaS, metering.

  With the current code, each new feature using a separate instance of
  IptablesManager with a different wrap_name will create a separate copy
  of these chains and rules.

  It is not clear if there is any functional impact. The '-j CONNMARK
  --restore-mark' rule in mangle PREROUTING would be reapplied by each
  feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549513/+subscriptions

References

[Bug 1549513] [NEW] Feature specific code should be moved out of iptables_manager
From: Mickey Spiegel, 2016-02-24