Public bug reported:
Lot's of messages like those ones can be seen in normal operation:
2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
The logic of this log message is broken, and should be removed.
Because, we can actually generate an iptable rule referencing a set which
doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in which
case
iptables-restore would fail, and that's ok enough.
I will submit a patch to remove the message logic.
** Affects: neutron
Importance: Undecided
Assignee: Miguel Angel Ajo (mangelajo)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1421772
Title:
neutron-openvswitch-agent says Tried to generate an ipset iptable
rule for a security group rule even in normal operation
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Lot's of messages like those ones can be seen in normal operation:
2015-02-12 20:03:28.775 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:19.873 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
2015-02-12 20:12:21.742 ERROR neutron.agent.linux.iptables_firewall
[req-62cbc788-0fd6-409b-bd52-23634a71b60e None None] Tried to generate an ipset
iptable rule for a security group rule ({u'ethertype': u'IPv6', u'direction':
u'ingress', u'remote_group_id': u'bead9cb2-9c74-4e21-b219-b70530683193'})
referencing an ipset (IPv6bead9cb2-9c74-4e21-b219) which doesn't exist yet.
The logic of this log message is broken, and should be removed.
Because, we can actually generate an iptable rule referencing a set which
doesn't exist yet,
as long as we don't try to push the iptables before creating the sets, in
which case
iptables-restore would fail, and that's ok enough.
I will submit a patch to remove the message logic.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1421772/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
