Public bug reported: Iptables rules are lost in router namespace on restart of l3 agent.
Rules before restating L3 agent ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-l3-agent-FORWARD -N neutron-l3-agent-INPUT -N neutron-l3-agent-OUTPUT -N neutron-l3-agent-accepted -N neutron-l3-agent-dropped -N neutron-l3-agent-fwaas-defau -N neutron-l3-agent-iv4d0588aa2 -N neutron-l3-agent-local -N neutron-l3-agent-ov4d0588aa2 -N neutron-l3-agent-rejected -N neutron-l3-agent-scope -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-iv4d0588aa2 -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-ov4d0588aa2 -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-accepted -j ACCEPT -A neutron-l3-agent-dropped -j DROP -A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped -A neutron-l3-agent-iv4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped -A neutron-l3-agent-iv4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A neutron-l3-agent-iv4d0588aa2 -p tcp -m tcp --dport 22 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A neutron-l3-agent-ov4d0588aa2 -p icmp -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p tcp -m tcp --dport 53 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p udp -m udp --dport 53 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.0.0.0/8 -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -d 172.16.0.0/12 -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -d 192.168.0.0/16 -j neutron-l3-agent-dropped -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP Rules after restart. ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-l3-agent-FORWARD -N neutron-l3-agent-INPUT -N neutron-l3-agent-OUTPUT -N neutron-l3-agent-local -N neutron-l3-agent-scope -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP Name: neutron-fwaas Version: 16.0.1.dev3 Summary: OpenStack Networking FWaaS Home-page: https://docs.openstack.org/neutron-fwaas/latest/ Author: OpenStack Author-email: [email protected] License: UNKNOWN Location: /openstack/venvs/neutron-21.2.9/lib/python3.8/site-packages Requires: neutron-lib, neutron, eventlet, oslo.config, pyroute2, os-ken, netaddr, six, oslo.db, oslo.log, oslo.utils, oslo.privsep, pyzmq, pbr, alembic, SQLAlchemy, oslo.messaging, oslo.service Required-by: ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1973035 Title: FWaaS rules lost on l3 agent restart Status in neutron: New Bug description: Iptables rules are lost in router namespace on restart of l3 agent. Rules before restating L3 agent ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-l3-agent-FORWARD -N neutron-l3-agent-INPUT -N neutron-l3-agent-OUTPUT -N neutron-l3-agent-accepted -N neutron-l3-agent-dropped -N neutron-l3-agent-fwaas-defau -N neutron-l3-agent-iv4d0588aa2 -N neutron-l3-agent-local -N neutron-l3-agent-ov4d0588aa2 -N neutron-l3-agent-rejected -N neutron-l3-agent-scope -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-iv4d0588aa2 -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-ov4d0588aa2 -A neutron-l3-agent-FORWARD -o qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau -A neutron-l3-agent-FORWARD -i qr-e3cb6269-3b -j neutron-l3-agent-fwaas-defau -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-accepted -j ACCEPT -A neutron-l3-agent-dropped -j DROP -A neutron-l3-agent-fwaas-defau -j neutron-l3-agent-dropped -A neutron-l3-agent-iv4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped -A neutron-l3-agent-iv4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A neutron-l3-agent-iv4d0588aa2 -p tcp -m tcp --dport 22 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -m state --state INVALID -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A neutron-l3-agent-ov4d0588aa2 -p icmp -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p tcp -m tcp --dport 53 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.40.95.125/32 -p udp -m udp --dport 53 -j neutron-l3-agent-accepted -A neutron-l3-agent-ov4d0588aa2 -d 10.0.0.0/8 -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -d 172.16.0.0/12 -j neutron-l3-agent-dropped -A neutron-l3-agent-ov4d0588aa2 -d 192.168.0.0/16 -j neutron-l3-agent-dropped -A neutron-l3-agent-rejected -j REJECT --reject-with icmp-port-unreachable -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP Rules after restart. ip netns exec qrouter-b764e745-adfe-4f31-b0f7-dc68e4468b37 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-l3-agent-FORWARD -N neutron-l3-agent-INPUT -N neutron-l3-agent-OUTPUT -N neutron-l3-agent-local -N neutron-l3-agent-scope -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP -A neutron-l3-agent-scope -o qr-e3cb6269-3b -m mark ! --mark 0x4000000/0xffff0000 -j DROP Name: neutron-fwaas Version: 16.0.1.dev3 Summary: OpenStack Networking FWaaS Home-page: https://docs.openstack.org/neutron-fwaas/latest/ Author: OpenStack Author-email: [email protected] License: UNKNOWN Location: /openstack/venvs/neutron-21.2.9/lib/python3.8/site-packages Requires: neutron-lib, neutron, eventlet, oslo.config, pyroute2, os-ken, netaddr, six, oslo.db, oslo.log, oslo.utils, oslo.privsep, pyzmq, pbr, alembic, SQLAlchemy, oslo.messaging, oslo.service Required-by: To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1973035/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
