yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1765208] Re: IPtables firewall code sometimes tries to remove non-existent rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1765208@xxxxxxxxxxxxxxxxxx>
Date: Sun, 06 May 2018 19:41:40 -0000
Reply-to: Bug 1765208 <1765208@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/563730
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dbed642c4ca93e77dc53d8aac9086ab2e60ebaa9
Submitter: Zuul
Branch:    master

commit dbed642c4ca93e77dc53d8aac9086ab2e60ebaa9
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Mon Apr 23 14:24:13 2018 -0400

    Do not remove conntrack jump rules if no zone
    
    In corner cases, the firewall code could try and remove
    non-existent conntrack zone jump rules if a zone has never
    been allocated.  This could happen on an agent restart
    when there are no longer ports in the zone on the
    compute node.  Skip the removal since it will just generate
    an iptables warning complaining the existing rule does
    not exist.
    
    Change-Id: Ie32733b4a06b6d75cf1eb78915a510a4bb78f619
    Closes-bug: #1765208


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1765208

Title:
  IPtables firewall code sometimes tries to remove non-existent rules

Status in neutron:
  Fix Released

Bug description:
  I've seen errors like this in some of the OVS agent logs recently:

  WARNING neutron.agent.linux.iptables_manager [None req-61600016-733c-44f2-a96c-d9f62b7e049c None None] Tried to remove rule that was not there: 'PREROUTING' u'-m physdev --physdev-in brq0b54770c-65 -m comment --comment "Set zone for 43bcf43-ba" -j CT --zone 4101' True False
  (there's usually 5 more similar lines)

  Looking into it, the line right before we had allocated a conntrack
  zone:

  DEBUG neutron.agent.linux.ip_conntrack [None req-61600016-733c-44f2
  -a96c-d9f62b7e049c None None] Assigned CT zone 4101 to device
  0b54770c-65

  So we allocate a zone and immediately try and remove some iptables
  rules associated with it, but they won't exist since the zone was just
  allocated.  Instead, we should return early if there was no zone - the
  caller in question is _remove_conntrack_jump(), which is being called
  when we're removing a set of chains./lin

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1765208/+subscriptions

References

[Bug 1765208] [NEW] IPtables firewall code sometimes tries to remove non-existent rules
From: Brian Haley, 2018-04-18