← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #91045

[Bug 1664782] Re: iptables manager wrongly deletes other agents' rules

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1664782

Title:
  iptables manager wrongly deletes other agents' rules

Status in neutron:
  Won't Fix

Bug description:
  Calico's Felix agent generates iptables chains that intentionally
  include rules that the Neutron iptables_manager code considers to be
  duplicates - as revealed by logs like these from the DHCP agent:

  2017-02-02 18:50:29.482 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
  2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-to-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
  2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-ebf1bc0b-ba -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN
  2017-02-02 18:50:29.483 3376 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the iptables rule generation code. Line: -A felix-from-3d959cf9-36 -m mark --mark 0x1000000/0x1000000 -m comment --comment "Profile accepted packet" -j RETURN

  IIUC, iptables_manager then reprograms iptables with these 'duplicates'
  removed, and thereby breaks Calico's iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1664782/+subscriptions

References

  Thread PreviousDate PreviousThread Next