[dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

Fix proposed to branch: master
Review: https://review.openstack.org/557836

Reviewed: https://review.openstack.org/557836
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=81db328b2df08f2b4adcc80104cf05ad8966c019
Submitter: Zuul
Branch: master

commit 81db328b2df08f2b4adcc80104cf05ad8966c019
Author: Dmitrii Shcherbakov <email address hidden>
Date: Thu Mar 29 17:32:01 2018 -0400

    Use cidr during tenant network rule deletion

    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.

    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.

    For example with the following layout

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0: from all lookup local
    32766: from all lookup main
    32767: from all lookup default
    80000: from 192.168.100.0/24 lookup 16
    80000: from 192.168.200.0/24 lookup 16

    and neutron l3 agent will use this command

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast

    and 192.168.100.0/24 rule will get deleted even if you actually removed
    a port on 192.168.200.0.

    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.

    additional changes:

    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.

    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.

    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956

Affects pike and queens UCA packages.

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/559256

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/559257

Reviewed: https://review.openstack.org/559256
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb9ec1afb6545def3130952008ee7f20dbaafd2c
Submitter: Zuul
Branch: stable/queens

commit fb9ec1afb6545def3130952008ee7f20dbaafd2c
Author: Dmitrii Shcherbakov <email address hidden>
Date: Thu Mar 29 17:32:01 2018 -0400

    Use cidr during tenant network rule deletion

    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.

    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.

    For example with the following layout

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0: from all lookup local
    32766: from all lookup main
    32767: from all lookup default
    80000: from 192.168.100.0/24 lookup 16
    80000: from 192.168.200.0/24 lookup 16

    and neutron l3 agent will use this command

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast

    and 192.168.100.0/24 rule will get deleted even if you actually removed
    a port on 192.168.200.0.

    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.

    additional changes:

    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.

    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.

    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956
    (cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)

Reviewed: https://review.openstack.org/559257
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0224dcfea4ffeaac6cbcec7464887e7538e49091
Submitter: Zuul
Branch: stable/pike

commit 0224dcfea4ffeaac6cbcec7464887e7538e49091
Author: Dmitrii Shcherbakov <email address hidden>
Date: Thu Mar 29 17:32:01 2018 -0400

    Use cidr during tenant network rule deletion

    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.

    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.

    For example with the following layout

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0: from all lookup local
    32766: from all lookup main
    32767: from all lookup default
    80000: from 192.168.100.0/24 lookup 16
    80000: from 192.168.200.0/24 lookup 16

    and neutron l3 agent will use this command

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast

    and 192.168.100.0/24 rule will get deleted even if you actually removed
    a port on 192.168.200.0.

    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.

    additional changes:

    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.

    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.

    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956
    (cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)

This bug was fixed in the package neutron - 2:12.0.0-0ubuntu3

---------------
neutron (2:12.0.0-0ubuntu3) bionic; urgency=medium

  * d/p/refresh-router-objects-after-port-binding.patch: Cherry-picked
    from upstream stable/queens branch (LP: #1759971).
  * d/p/use-cidr-during-tenant-network-rule-deletion.patch: Cherry-picked
    from upstream stable/queens branch (LP: #1759956).

 -- Corey Bryant <email address hidden> Mon, 16 Apr 2018 16:06:25 -0400

This issue was fixed in the openstack/neutron 13.0.0.0b1 development milestone.

This issue was fixed in the openstack/neutron 11.0.4 release.

This issue was fixed in the openstack/neutron 12.0.2 release.

This seems to be fix-released in both stable/pike and stable/queens so I'm marking it so