← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #78159

[Bug 1826066] [NEW] Iptables rules for unbound ports removed during agent sync

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hi.

Using Octavia and Neutron DVR-HA scheme looks like got a problem with
iptables rules in SNAT namespaces. During initial create Octavia LBaaS,
there is also creating  such iptables forward rules:

# ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-OUTPUT -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat
# ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-PREROUTING -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat

And traffic goes well, but after full resync l3 agent on the network
node, this rules are disappears from namespaces and never goes back,
until recreated manually. After creating this rule in router namespaces,
the traffic goes well.

After short investigation of this issue, looks like something missed in
creating rules for unbound neutron ports.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1826066

Title:
  Iptables rules for unbound ports removed during agent sync

Status in neutron:
  New

Bug description:
  Hi.

  Using Octavia and Neutron DVR-HA scheme looks like got a problem with
  iptables rules in SNAT namespaces. During initial create Octavia
  LBaaS, there is also creating  such iptables forward rules:

  # ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-OUTPUT -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat
  # ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-PREROUTING -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat

  And traffic goes well, but after full resync l3 agent on the network
  node, this rules are disappears from namespaces and never goes back,
  until recreated manually. After creating this rule in router
  namespaces, the traffic goes well.

  After short investigation of this issue, looks like something missed
  in creating rules for unbound neutron ports.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1826066/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next