Public bug reported: the fallback accept rule in the iptables rule generation is added after every port. This would normally break the filtering since none of the ports would make it beyond the ACCEPT, but we have duplicate rule removal logic that just happens to get rid of the extras right before they are applied.[1]
Fortunately this is not user-impacting bug right now (by accident), but it is a performance waste and a bug waiting to happen. 1. https://github.com/openstack/neutron/blob/e805d7a73a30ebaf194326e1de56cebb04137274/neutron/agent/linux/iptables_manager.py#L640 ** Affects: neutron Importance: Undecided Assignee: Kevin Benton (kevinbenton) Status: New ** Changed in: neutron Assignee: (unassigned) => Kevin Benton (kevinbenton) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1502906 Title: fallback accept rule in iptables is added after every port Status in neutron: New Bug description: the fallback accept rule in the iptables rule generation is added after every port. This would normally break the filtering since none of the ports would make it beyond the ACCEPT, but we have duplicate rule removal logic that just happens to get rid of the extras right before they are applied.[1] Fortunately this is not user-impacting bug right now (by accident), but it is a performance waste and a bug waiting to happen. 1. https://github.com/openstack/neutron/blob/e805d7a73a30ebaf194326e1de56cebb04137274/neutron/agent/linux/iptables_manager.py#L640 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1502906/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
