OpenStack Compute (nova)

Non-wrapped iptables chains are not removed correctly

Bug #1037127 reported by Brian Haley on 2012-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Brian Haley	OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

I have written an out-of-tree module that makes calls into the IPtablesManager code to add/remove iptables chains and rules. In order to keep the chains "off the radar" for nova-compute (since it removes everything beginning with 'nova-compute'), and to keep the names pretty short (max 28 chars I think), I made them non-wrapped chains.

When I ran the code the first thing I noticed was that the chains never got removed when the iptables apply() code was called after I had done a remove_rule() call.

The best solution I found was to add an array of chains and rules to remove in each table, and iterate them at apply() time to guarantee they're gone.

I have a proposed patch I'll link to this in a bit.

Brian Haley (brian-haley) on 2012-08-15

Changed in nova:
assignee:	nobody → Brian Haley (brian-haley)

Revision history for this message

Brian Haley (brian-haley) wrote on 2012-08-15:

https://review.openstack.org/#/c/11300/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-16: Fix merged to nova (master)

Reviewed: https://review.openstack.org/11300
Committed: http://github.com/openstack/nova/commit/d141e64de98f4e7eb0493d8f0a631f071b6e6dc1
Submitter: Jenkins
Branch: master

commit d141e64de98f4e7eb0493d8f0a631f071b6e6dc1
Author: Brian Haley <email address hidden>
Date: Mon Aug 13 14:58:34 2012 -0400

Change IPtablesManager to preserve packet:byte counts.

    Modified IPtablesManager.apply() method to save/restore chain and
    rule packet:byte counts by using the '-c' flag with iptables-save
    and iptables-restore calls. Currently they are zeroed every time
    we change something in the table. This will allow users to better
    analyze usage for instances over an extended period of time, for
    example, for billing purposes.

Change all applicable iptables, libvirt and Xen tests to account
for the changes made to support the packet:byte counts.

This work uncovered two bugs in the existing implementation
found during my testing, specifically:

    1. Fix IptablesManager to clean-up non-wrapped chains correctly,
       instead of leaving them in the kernel's table. We now keep a
       list of chains and rules we need to remove, and double-check
       in apply() that they are filtered-out.

    2. Fix IptablesManager to honor "top=True" iptables rules by only
       adding non-top rules after we've gone through all the top rules
       first.

Implements first work item of blueprint libvirt-network-usage.

Fixes bug 1037127 and bug 1037137.

Change-Id: Ia5a11aabbfb45b6c16c8d94757eeaa2041785b60

Changed in nova:
status:	New → In Progress
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-08-16

Changed in nova:
milestone:	none → folsom-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in nova:
milestone:	folsom-3 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.