[Yahoo-eng-team] [Bug 1908957] Re: iptable rules collision deployed with k8s iptables kube-proxy enabled

Sat, 02 Dec 2023 12:26:30 -0800 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/768322
Committed: 
https://opendev.org/openstack/neutron/commit/08032e9cc65fe79a53a217b6f061af745ee374b8
Submitter: "Zuul (22348)"
Branch:    master

commit 08032e9cc65fe79a53a217b6f061af745ee374b8
Author: shenjiatong <[email protected]>
Date:   Tue Dec 22 09:01:50 2020 +0800

    Allow neutron managed ports to bypass PREROUTING chain
    
    When deployed with k8s, k8s service types like NodePort
    or ExternalIP will affect vm traffic on nat table's
    PREROUTING chain. This PS try to mitigate the effect
    by allowing vm traffic to bypass those rules.
    
    Change-Id: Iae12d9c2f37bc0fca9c3d5e85e46c642263e4a77
    Closes-Bug: #1908957


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1908957

Title:
  iptable rules collision deployed with k8s iptables kube-proxy enabled

Status in neutron:
  Fix Released

Bug description:
  
  Maybe it's a k8s kube-proxy related bug, but maybe it is easier to solve on 
neutron's side...

  In k8s either NodePort or ExternalIP will generate iptable rules which will 
effect vm traffic when
  hybrid iptable plugin enabled.

  The problem is:

  Chain PREROUTING (policy ACCEPT 650 packets, 65873 bytes)
   pkts bytes target     prot opt in     out     source               
destination         
   560K   37M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
           PHYSDEV match --physdev-is-in
    56M 4944M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */
    40M 3785M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            /* kubernetes service portals */

  And packets will be DNAT to something which we do not want and such
  traffic will be dropped in the end.

  By adding the following rule it seems problem is mitigated,

  iptables -t nat -I PREROUTING 2 -m physdev --physdev-is-in  -j ACCEPT

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1908957/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to