yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1826066] Re: Iptables rules for unbound ports removed during agent sync

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1826066@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2019 04:17:21 -0000
Reply-to: Bug 1826066 <1826066@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1826066

Title:
  Iptables rules for unbound ports removed during agent sync

Status in neutron:
  Expired

Bug description:
  Hi.

  Using Octavia and Neutron DVR-HA scheme looks like got a problem with
  iptables rules in SNAT namespaces. During initial create Octavia
  LBaaS, there is also creating  such iptables forward rules:

  # ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-OUTPUT -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat
  # ip netns exec snat-7fd10a01-bf15-4603-81d5-d94412b007ab iptables -A neutron-vpn-agen-PREROUTING -d fip-ip -j DNAT --to-destination 10.0.0.20 -t nat

  And traffic goes well, but after full resync l3 agent on the network
  node, this rules are disappears from namespaces and never goes back,
  until recreated manually. After creating this rule in router
  namespaces, the traffic goes well.

  After short investigation of this issue, looks like something missed
  in creating rules for unbound neutron ports.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1826066/+subscriptions

References

[Bug 1826066] [NEW] Iptables rules for unbound ports removed during agent sync
From: Dmitry Kudyukin, 2019-04-23