yahoo-eng-team team mailing list archive

[OpenStack Infra <1951564@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/822562
Committed: https://opendev.org/openstack/neutron/commit/5e62eac7a97a251ab3f2330d65950a4b9e2a33cf
Submitter: "Zuul (22348)"
Branch:    master

commit 5e62eac7a97a251ab3f2330d65950a4b9e2a33cf
Author: Maximilian Stinsky <maximilian.stinsky@xxxxxx>
Date:   Tue Dec 21 22:31:18 2021 +0100

    Reduce iptables version check from 1.6.2 to 1.6.0
    
    The check is required to check if --random-fully can be used.
    Neutron is only using MASQUERADE rules which --random-fully supports
    since version 1.6.0.
    
    Closes-Bug: #1951564
    Change-Id: I4d9a2f7d396d6cc8c958f5be635c2d3236e3fe4f


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1951564

Title:
  snat random-fully supported with iptables 1.6.0

Status in neutron:
  Fix Released

Bug description:
  With the following report
  https://bugs.launchpad.net/neutron/+bug/1814002 neutron was set to
  create SNAT rules with the --random-fully flag.

  This is only getting applied with iptables 1.6.2 through a version check on the neutorn-l3-agent start. 
  --random-fully is already supported since iptables 1.6.0 for SNAT rules. 1.6.2 is only required for MASQUERADE.

  As far as I can see neutron is only setting SNAT rules so it would be
  reasonable to decrease the version check to 1.6.0 - this would enable
  --random-fully for more deployments as ubuntu bionic for example only
  ships with iptables 1.6.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1951564/+subscriptions