Reviewed: https://review.openstack.org/559256 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb9ec1afb6545def3130952008ee7f20dbaafd2c Submitter: Zuul Branch: stable/queens
commit fb9ec1afb6545def3130952008ee7f20dbaafd2c Author: Dmitrii Shcherbakov <[email protected]> Date: Thu Mar 29 17:32:01 2018 -0400 Use cidr during tenant network rule deletion If a distributed router has interfaces on multiple tenant networks, with 'fast exit' functionality policy based rules are created in qrouter namespace for every tenant network subnet and 'from <cidr>' is included into an 'ip rule' command invocation. When a port on a tenant network is deleted 'from <cidr>' part is not included and a first rule matching specified parameters gets deleted. For example with the following layout ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default 80000: from 192.168.100.0/24 lookup 16 80000: from 192.168.200.0/24 lookup 16 and neutron l3 agent will use this command ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\ del priority 80000 table 16 type unicast and 192.168.100.0/24 rule will get deleted even if you actually removed a port on 192.168.200.0. This results in an extra rule present and not cleaned up and the right rule removed. It is only recreated if a router is disabled and enabled again. additional changes: 1) Floating IP rules are identified by priority only as implemented currently - for this reason this change adds fixed_ip to the rule removal code. Rule priorities are 32-bit values in iproute2 so, in theory, those should be not be used to cover IPv6. 2) IP protocol information for 'from all' rules is currently derived from link-local address IP version. The same approach is preserved by using version-specific /0 addresses without changing the API provided by ip_lib. Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c Closes-Bug: #1759956 (cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019) ** Tags added: in-stable-queens -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1759956 Title: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1759956/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
