yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1765208] [NEW] IPtables firewall code sometimes tries to remove non-existent rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <1765208@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Apr 2018 21:17:24 -0000
Reply-to: Bug 1765208 <1765208@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I've seen errors like this in some of the OVS agent logs recently:

WARNING neutron.agent.linux.iptables_manager [None req-61600016-733c-44f2-a96c-d9f62b7e049c None None] Tried to remove rule that was not there: 'PREROUTING' u'-m physdev --physdev-in brq0b54770c-65 -m comment --comment "Set zone for 43bcf43-ba" -j CT --zone 4101' True False
(there's usually 5 more similar lines)

Looking into it, the line right before we had allocated a conntrack
zone:

DEBUG neutron.agent.linux.ip_conntrack [None req-61600016-733c-44f2
-a96c-d9f62b7e049c None None] Assigned CT zone 4101 to device
0b54770c-65

So we allocate a zone and immediately try and remove some iptables rules
associated with it, but they won't exist since the zone was just
allocated.  Instead, we should return early if there was no zone - the
caller in question is _remove_conntrack_jump(), which is being called
when we're removing a set of chains./lin

** Affects: neutron
     Importance: Undecided
     Assignee: Brian Haley (brian-haley)
         Status: New


** Tags: sg-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1765208

Title:
  IPtables firewall code sometimes tries to remove non-existent rules

Status in neutron:
  New

Bug description:
  I've seen errors like this in some of the OVS agent logs recently:

  WARNING neutron.agent.linux.iptables_manager [None req-61600016-733c-44f2-a96c-d9f62b7e049c None None] Tried to remove rule that was not there: 'PREROUTING' u'-m physdev --physdev-in brq0b54770c-65 -m comment --comment "Set zone for 43bcf43-ba" -j CT --zone 4101' True False
  (there's usually 5 more similar lines)

  Looking into it, the line right before we had allocated a conntrack
  zone:

  DEBUG neutron.agent.linux.ip_conntrack [None req-61600016-733c-44f2
  -a96c-d9f62b7e049c None None] Assigned CT zone 4101 to device
  0b54770c-65

  So we allocate a zone and immediately try and remove some iptables
  rules associated with it, but they won't exist since the zone was just
  allocated.  Instead, we should return early if there was no zone - the
  caller in question is _remove_conntrack_jump(), which is being called
  when we're removing a set of chains./lin

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1765208/+subscriptions

Follow ups

[Bug 1765208] Re: IPtables firewall code sometimes tries to remove non-existent rules
From: OpenStack Infra, 2018-05-06