Submitter: Zuul
Branch:    stable/queens

commit fb9ec1afb6545def3130952008ee7f20dbaafd2c
Author: Dmitrii Shcherbakov <>
Date:   Thu Mar 29 17:32:01 2018 -0400

    Use cidr during tenant network rule deletion
    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.
    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.
    For example with the following layout
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0:      from all lookup local
    32766:  from all lookup main
    32767:  from all lookup default
    80000:  from lookup 16
    80000:  from lookup 16
    and neutron l3 agent will use this command
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast
    and rule will get deleted even if you actually removed
    a port on
    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    additional changes:
    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.
    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.
    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956
    (cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)

** Tags added: in-stable-queens

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to