← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #88866

[Bug 1973035] Re: FWaaS rules lost on l3 agent restart

  Thread PreviousDate PreviousThread Next 
I set it to invalid as if I understand the issue was in your config,
please open it again if you see more issues.

** Tags added: fwaas

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1973035

Title:
  FWaaS rules lost on l3 agent restart

Status in neutron:
  Invalid

Bug description:
  Iptables rules are lost in router namespace on restart of l3 agent.

  
  Rules before restating L3 agent
  ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S
  -P INPUT ACCEPT
  -P FORWARD ACCEPT
  -P OUTPUT ACCEPT
  -N neutron-filter-top
  -N neutron-l3-agent-FORWARD
  -N neutron-l3-agent-INPUT
  -N neutron-l3-agent-OUTPUT
  -N neutron-l3-agent-accepted
  -N neutron-l3-agent-dropped
  -N neutron-l3-agent-fwaas-defau
  -N neutron-l3-agent-iv4d0588aa2
  -N neutron-l3-agent-local
  -N neutron-l3-agent-ov4d0588aa2
  -N neutron-l3-agent-rejected
  -N neutron-l3-agent-scope
  -A INPUT -j neutron-l3-agent-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-l3-agent-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A neutron-filter-top -j neutron-l3-agent-local
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-iv4d0588aa2
  -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-ov4d0588aa2
  -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-accepted -j ACCEPT
  -A neutron-l3-agent-dropped -j DROP
  -A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-iv4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-iv4d0588aa2 -p tcp -m tcp --dport 22 -j neutron-l3-agent-accepted
  -A neutron-l3-agent-ov4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A neutron-l3-agent-ov4d0588aa2 -p icmp -j neutron-l3-agent-accepted
  -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p tcp -m tcp --dport 53 -j neutron-l3-agent-accepted
  -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p udp -m udp --dport 53 -j neutron-l3-agent-accepted
  -A neutron-l3-agent-ov4d0588aa2 -d 10.0.0.0/8 -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov4d0588aa2 -d 172.16.0.0/12 -j neutron-l3-agent-dropped
  -A neutron-l3-agent-ov4d0588aa2 -d 192.168.0.0/16 -j neutron-l3-agent-dropped
  -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable
  -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP

  
  Rules after restart.

  ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S
  -P INPUT ACCEPT
  -P FORWARD ACCEPT
  -P OUTPUT ACCEPT
  -N neutron-filter-top
  -N neutron-l3-agent-FORWARD
  -N neutron-l3-agent-INPUT
  -N neutron-l3-agent-OUTPUT
  -N neutron-l3-agent-local
  -N neutron-l3-agent-scope
  -A INPUT -j neutron-l3-agent-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-l3-agent-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A neutron-filter-top -j neutron-l3-agent-local
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP


  Name: neutron-fwaas
  Version: 16.0.1.dev3
  Summary: OpenStack Networking FWaaS
  Home-page: https://docs.openstack.org/neutron-fwaas/latest/
  Author: OpenStack
  Author-email: openstack-discuss@xxxxxxxxxxxxxxxxxxx
  License: UNKNOWN
  Location: /openstack/venvs/neutron-21.2.9/lib/python3.8/site-packages
  Requires: neutron-lib, neutron, eventlet, oslo.config, pyroute2, os-ken, netaddr, six, oslo.db, oslo.log, oslo.utils, oslo.privsep, pyzmq, pbr, alembic, SQLAlchemy, oslo.messaging, oslo.service
  Required-by:

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1973035/+subscriptions

References

  Thread PreviousDate PreviousThread Next