yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61528
[Bug 1664782] [NEW] iptables manager wrongly deletes other agents' rules
Public bug reported:
Calico's Felix agent generates iptables chains that intentionally
include rules that the Neutron iptables_manager code considers to be
duplicates - as revealed by logs like these from the DHCP agent:
2017-02-02 18:50:29.482 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
IIUC, iptables_manager then reprograms iptables with these 'duplicates'
removed, and thereby breaks Calico's iptables.
** Affects: neutron
Importance: Undecided
Assignee: Neil Jerram (neil-jerram)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1664782
Title:
iptables manager wrongly deletes other agents' rules
Status in neutron:
In Progress
Bug description:
Calico's Felix agent generates iptables chains that intentionally
include rules that the Neutron iptables_manager code considers to be
duplicates - as revealed by logs like these from the DHCP agent:
2017-02-02 18:50:29.482 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
IIUC, iptables_manager then reprograms iptables with these 'duplicates'
removed, and thereby breaks Calico's iptables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1664782/+subscriptions
Follow ups
