Reviewed:  https://review.openstack.org/559256
Committed: 
https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb9ec1afb6545def3130952008ee7f20dbaafd2c
Submitter: Zuul
Branch:    stable/queens

commit fb9ec1afb6545def3130952008ee7f20dbaafd2c
Author: Dmitrii Shcherbakov <dmitrii.shcherba...@canonical.com>
Date:   Thu Mar 29 17:32:01 2018 -0400

    Use cidr during tenant network rule deletion
    
    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.
    
    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.
    
    For example with the following layout
    
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0:      from all lookup local
    32766:  from all lookup main
    32767:  from all lookup default
    80000:  from 192.168.100.0/24 lookup 16
    80000:  from 192.168.200.0/24 lookup 16
    
    and neutron l3 agent will use this command
    
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast
    
    and 192.168.100.0/24 rule will get deleted even if you actually removed
    a port on 192.168.200.0.
    
    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.
    
    additional changes:
    
    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.
    
    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.
    
    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956
    (cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)


** Tags added: in-stable-queens

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to