← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #68511

[Bug 1721895] Re: OVS firewall should drop iptables rules if it detects a bridge

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/510628
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9d74de162a2dd7bf5c2df59ccf9ff812f8e46387
Submitter: Jenkins
Branch:    master

commit 9d74de162a2dd7bf5c2df59ccf9ff812f8e46387
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Mon Oct 9 15:33:32 2017 +0000

    ovs-fw: Remove iptables rules on hybrid ports
    
    ovs-firewall now scans ports on its bridge and stores those that have
    prefix 'qvo', which means such ports use hybrid plugging. Because
    ovs-agent makes a full-sync when it's started, all ports that reside on
    the node are passed to firewall driver to refresh firewall, a new helper
    was added.
    
    In case the initial scan noticed hybrid plugged, an iptables firewall
    driver is instantiated and each port is passed down to helper that
    removes iptables rules for given port.
    
    Once all ports are processed, a mark is added to ovsdb to avoid cleaning
    iptables in the future. That means next time ovs-agent is started
    iptables firewall will not be instantiated.
    
    NOTE: Fullstack tests are a great candidate to cover the migration but
          I'll leave it as TODO after we stabilize fullstack tests.
    
    Closes-bug: #1721895
    
    Change-Id: I662c310133a089bf29b734c539e57a8cff923074


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1721895

Title:
  OVS firewall should drop iptables rules if it detects a bridge

Status in neutron:
  Fix Released

Bug description:
  When a user switches from the hybrid firewall to the OVS native
  firewall the iptables rules will be left behind on the filtering
  bridge. Since removing the bridge would require difficult coordination
  with Nova and it would be disruptive to traffic, that is currently not
  a viable approach.

  To make the transition easier, the OVS firewall should at least detect
  when one of its VM ports contains a filtering bridge and drop all of
  the iptables rules on it so we don't have stale rules interfering with
  the traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1721895/+subscriptions

References

  Thread PreviousDate PreviousThread Next