Reviewed: https://review.opendev.org/c/openstack/neutron/+/911957 Committed: https://opendev.org/openstack/neutron/commit/46245c015403c5770d2bd9b6d08f52f89fd6aa40 Submitter: "Zuul (22348)" Branch: master
commit 46245c015403c5770d2bd9b6d08f52f89fd6aa40 Author: Brian Haley <[email protected]> Date: Thu Mar 7 14:00:21 2024 -0500 Add note on iptables cleanup after OVS firewall migration Add an item to the instructions on iptables to OVS firewall migration that the admin should cleanup any stale iptables rules after completion. It is out of scope of our documents on how exactly an adminstrator might do that. Closes-bug: #1864374 Change-Id: Ie1bf6b82e57a00f61640a131a29d897a9cde4629 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1864374 Title: ml2 ovs does not flush iptables switching to FW ovs Status in neutron: Fix Released Bug description: hi, When switching fw engine from itables to openvswitch and restart the agent, the old iptables rules are not flushed. One has to clean that up by hand or reboot. This is not documented anywhere afaik and it gives very tricky issues that are hard to detect. #### OVS with FW = openvswithc # iptables -L | grep neutron < returns nothing > #### switching to FW = iptables and restart agent # iptables -S | grep neutron -N neutron-filter-top -N neutron-openvswi-FORWARD -N neutron-openvswi-INPUT -N neutron-openvswi-OUTPUT -N neutron-openvswi-local -N neutron-openvswi-sg-chain -N neutron-openvswi-sg-fallback -A INPUT -j neutron-openvswi-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-sg-chain -j ACCEPT -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP #### swtiching back to FW = ovs and restarting the agent, the iptables rules are still there # iptables -S | grep neutron -N neutron-filter-top -N neutron-openvswi-FORWARD -N neutron-openvswi-INPUT -N neutron-openvswi-OUTPUT -N neutron-openvswi-local -N neutron-openvswi-sg-chain -N neutron-openvswi-sg-fallback -A INPUT -j neutron-openvswi-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in tapc02b9364-d2 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-sg-chain -j ACCEPT -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP ########### Expected behavior ############# The agent should check what FW engine is used and check if there is something to clean up i.e. if config fw = ovs, check and clean up iptables if config fw = iptabls, check and clean up ovs fw flows To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1864374/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp

