** Description changed: - Ubuntu Groovy (20.10) - kernel 5.8.0-20-generic - neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1 - iptables: 1.8.5-3ubuntu1 (nf_tables) - iptables-restore points to xtables-nft-multi + [Impact] - After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron network node, neutron-linuxbridge-agent didn't properly start anymore. + With iptables 1.8.5 neutron-linuxbridge-agent fails to properly start. + The log file shows many errors like: 2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed - Downgrading iptables to 1.8.4 solves the problem. - - Trying to do what the linuxbridge agent does: - 2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent *filter - 2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0] - - shows that + This can be demonstrated with a simple test case: iptables-restore <<EOF *filter :INPUT - [0:0] COMMIT EOF - works fine with iptables 1.8.4 but fails with 1.8.5 + This fails with iptables 1.8.5 and is a known upstream bug that was + subsequently fixed in upstream commit + https://git.netfilter.org/iptables/commit/?id=0bd7a8eaf3582159490ab355b1217a4e42ed021f + + As such, neutron-linuxbridge-agent is not able to be used successfully + on groovy. This fix to iptables is required to allow neutron- + linuxbridge-agent to successfully run. + + In hirsute, iptables 1.8.5-3ubuntu3 has been uploaded which fixes this + bug by backporting the upstream fix from commit + 0bd7a8eaf3582159490ab355b1217a4e42ed021f above. This is currently + sitting in hirsute-proposed waiting for autopkgtests to complete to + finish migration. + + For groovy, iptables 1.8.5-3ubuntu2.20.10.1 is sitting in Unapproved and + is the subject of this SRU (this is simply 1.8.5-3ubuntu3 packaged for + groovy) + + [Test Case] + + This can be reproduced by the test case. - Workaround + [Regression Potential] - It seems neutron-linuxbridge agent tries to create the default chains (like INPUT) with a "-" as policy. By making sure the chains already exist (and are shown with iptables-save) the agent doesn't try to create those default chains and the agent starts fine. - So just running: - sudo iptables -F OUTPUT - sudo iptables -F OUTPUT -t raw - sudo ip6tables -F OUTPUT - sudo ip6tables -F OUTPUT -t raw + * This is a low risk update since it only affects the behaviour when a + policy of '-' is specified and so does not affect any users of iptables + that specify an explicit policy (like ACCEPT, REJECT etc). Since this + '-' behaviour is currently broken it has a very low chance of causing a + regression as it does not affect any code paths the use an explicit + policy. - is enough to get neutron-linuxbridge-agent working with iptables 1.8.5. + * In the event of a regression, iptables can be reverted back to a + rebuild of 1.8.5-3ubuntu1 by simply backing out this patch. + + [Other Info] + + * Details regarding an explicit test verification of neutron-linuxbridge-agent will be added soon.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898547 Title: neutron-linuxbridge-agent fails to start with iptables 1.8.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1898547/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs