[Yahoo-eng-team] [Bug 1864374] [NEW] ml2 ovs does not flush iptables switching to FW ovs

Sun, 23 Feb 2020 10:11:45 -0800 

Public bug reported:

hi,

When switching fw engine from itables to openvswitch and restart the
agent, the old iptables rules are not flushed. One has to clean that up
by hand or reboot. This is not documented anywhere afaik and it gives
very tricky issues that are hard to detect.


#### OVS with FW = openvswithc
# iptables -L | grep neutron
< returns nothing >

#### switching to FW = iptables and restart agent
# iptables -S | grep neutron
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for 
unmatched traffic." -j DROP


#### swtiching back to FW = ovs and restarting the agent, the iptables rules 
are still there
# iptables -S | grep neutron
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for 
unmatched traffic." -j DROP

########### Expected behavior #############
The agent should check what FW engine is used and check if there is something 
to clean up 
i.e. 
if config fw = ovs, check and clean up iptables
if config fw = iptabls, check and clean up ovs fw flows

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1864374

Title:
  ml2 ovs does not flush iptables switching to FW ovs

Status in neutron:
  New

Bug description:
  hi,

  When switching fw engine from itables to openvswitch and restart the
  agent, the old iptables rules are not flushed. One has to clean that
  up by hand or reboot. This is not documented anywhere afaik and it
  gives very tricky issues that are hard to detect.

  
  #### OVS with FW = openvswithc
  # iptables -L | grep neutron
  < returns nothing >

  #### switching to FW = iptables and restart agent
  # iptables -S | grep neutron
  -N neutron-filter-top
  -N neutron-openvswi-FORWARD
  -N neutron-openvswi-INPUT
  -N neutron-openvswi-OUTPUT
  -N neutron-openvswi-local
  -N neutron-openvswi-sg-chain
  -N neutron-openvswi-sg-fallback
  -A INPUT -j neutron-openvswi-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-openvswi-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-openvswi-OUTPUT
  -A neutron-filter-top -j neutron-openvswi-local
  -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-sg-chain -j ACCEPT
  -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for 
unmatched traffic." -j DROP

  
  #### swtiching back to FW = ovs and restarting the agent, the iptables rules 
are still there
  # iptables -S | grep neutron
  -N neutron-filter-top
  -N neutron-openvswi-FORWARD
  -N neutron-openvswi-INPUT
  -N neutron-openvswi-OUTPUT
  -N neutron-openvswi-local
  -N neutron-openvswi-sg-chain
  -N neutron-openvswi-sg-fallback
  -A INPUT -j neutron-openvswi-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-openvswi-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-openvswi-OUTPUT
  -A neutron-filter-top -j neutron-openvswi-local
  -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 
--physdev-is-bridged -m comment --comment "Accept all packets when port 
security is disabled." -j ACCEPT
  -A neutron-openvswi-sg-chain -j ACCEPT
  -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for 
unmatched traffic." -j DROP

  ########### Expected behavior #############
  The agent should check what FW engine is used and check if there is something 
to clean up 
  i.e. 
  if config fw = ovs, check and clean up iptables
  if config fw = iptabls, check and clean up ovs fw flows

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1864374/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to