yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1593354] [NEW] SNAT HA failed because of missing nat rule in snat namespace iptable

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Hao Chen <Chenh1987@xxxxxxxxx>
Date: Thu, 16 Jun 2016 17:45:18 -0000
Reply-to: Bug 1593354 <1593354@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I have a mitaka openstack deployment with neutron DVR enabled. When I
try to test the snat HA failover I found that even though the snat
namespace was created on the other backup node, it doesn't has any nat
rule in snat namespace iptable. And run "ip a" in the sant namespace you
will find the sg port is missing.

Here is what I found on the second neutron network node

sandy-pistachio:/opt/openstack # ip netns
qrouter-e25b81f9-8810-4654-9be0-ebac09c700fb
qdhcp-abe36e89-f7a5-4cbd-a7e4-852d80ed92d6
snat-e25b81f9-8810-4654-9be0-ebac09c700fb

sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
70: qg-cc3b2f8c-b7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether fa:16:3e:cb:27:cd brd ff:ff:ff:ff:ff:ff
    inet 10.240.117.98/28 brd 10.240.117.111 scope global qg-cc3b2f8c-b7
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fecb:27cd/64 scope link 
       valid_lft forever preferred_lft forever

sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
sandy-pistachio:/opt/openstack #

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1593354

Title:
  SNAT HA failed because of missing nat rule in snat namespace iptable

Status in neutron:
  New

Bug description:
  I have a mitaka openstack deployment with neutron DVR enabled. When I
  try to test the snat HA failover I found that even though the snat
  namespace was created on the other backup node, it doesn't has any nat
  rule in snat namespace iptable. And run "ip a" in the sant namespace
  you will find the sg port is missing.

  Here is what I found on the second neutron network node

  sandy-pistachio:/opt/openstack # ip netns
  qrouter-e25b81f9-8810-4654-9be0-ebac09c700fb
  qdhcp-abe36e89-f7a5-4cbd-a7e4-852d80ed92d6
  snat-e25b81f9-8810-4654-9be0-ebac09c700fb

  sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb ip a
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
  70: qg-cc3b2f8c-b7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
      link/ether fa:16:3e:cb:27:cd brd ff:ff:ff:ff:ff:ff
      inet 10.240.117.98/28 brd 10.240.117.111 scope global qg-cc3b2f8c-b7
         valid_lft forever preferred_lft forever
      inet6 fe80::f816:3eff:fecb:27cd/64 scope link 
         valid_lft forever preferred_lft forever

  sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb iptables -L -n -v -t nat
  Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
  sandy-pistachio:/opt/openstack #

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1593354/+subscriptions
Follow ups

[Bug 1593354] Re: SNAT HA failed because of missing nat rule in snat namespace iptable
From: Swaminathan Vasudevan, 2016-10-07