← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #52410

[Bug 1593011] [NEW] missing iptales rules when set a network from down to up

  Thread PreviousDate PreviousThread Next 
Public bug reported:

We are using liberty and running into following problem.
1. bring up a network, bring up the first vm, this vm gets its ip from dhcp.
2. set this network to down
3. bring up another vm, this vm won't get its ip address because the dhcp namespace doesn't have its ip address any more.
4. set the network to up, dhcp namesapce gets its ip (sometimes, it is a new ip)
5. reboot the second vm, the vm still won't get its ip address. The reason is because of missing an iptables rule.

the 2nd vm's iptables rule: (RETURN udp rule is missing)
[root@overcloud-compute-1 log]# iptables -L | grep neutron-bsn-agen-i1a81d969-0 -A10
Chain neutron-bsn-agen-i1a81d969-0 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere             match-set NIPv4d245ec59-449a-42eb-92ac- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-bsn-agen-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */


the 1st vm's iptables rule:
[root@overcloud-compute-1 log]# iptables -L | grep neutron-bsn-agen-i1b789c4c-b -A10
Chain neutron-bsn-agen-i1b789c4c-b (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  1.98.1.3             anywhere             udp spt:bootps udp dpt:bootpc
RETURN     all  --  anywhere             anywhere             match-set NIPv4d245ec59-449a-42eb-92ac- src
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-bsn-agen-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1593011

Title:
  missing iptales rules when set a network from down to up

Status in neutron:
  New

Bug description:
  We are using liberty and running into following problem.
  1. bring up a network, bring up the first vm, this vm gets its ip from dhcp.
  2. set this network to down
  3. bring up another vm, this vm won't get its ip address because the dhcp namespace doesn't have its ip address any more.
  4. set the network to up, dhcp namesapce gets its ip (sometimes, it is a new ip)
  5. reboot the second vm, the vm still won't get its ip address. The reason is because of missing an iptables rule.

  the 2nd vm's iptables rule: (RETURN udp rule is missing)
  [root@overcloud-compute-1 log]# iptables -L | grep neutron-bsn-agen-i1a81d969-0 -A10
  Chain neutron-bsn-agen-i1a81d969-0 (1 references)
  target     prot opt source               destination
  RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
  RETURN     all  --  anywhere             anywhere             match-set NIPv4d245ec59-449a-42eb-92ac- src
  DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
  neutron-bsn-agen-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

  
  the 1st vm's iptables rule:
  [root@overcloud-compute-1 log]# iptables -L | grep neutron-bsn-agen-i1b789c4c-b -A10
  Chain neutron-bsn-agen-i1b789c4c-b (1 references)
  target     prot opt source               destination
  RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
  RETURN     udp  --  1.98.1.3             anywhere             udp spt:bootps udp dpt:bootpc
  RETURN     all  --  anywhere             anywhere             match-set NIPv4d245ec59-449a-42eb-92ac- src
  DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
  neutron-bsn-agen-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1593011/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next