neutron

Bug #1759956
Comment #2

Comment 2 for bug 1759956

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-05: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/557836
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=81db328b2df08f2b4adcc80104cf05ad8966c019
Submitter: Zuul
Branch: master

commit 81db328b2df08f2b4adcc80104cf05ad8966c019
Author: Dmitrii Shcherbakov <email address hidden>
Date: Thu Mar 29 17:32:01 2018 -0400

Use cidr during tenant network rule deletion

    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.

When a port on a tenant network is deleted 'from <cidr>' part is not
included and a first rule matching specified parameters gets deleted.

For example with the following layout

    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0: from all lookup local
    32766: from all lookup main
    32767: from all lookup default
    80000: from 192.168.100.0/24 lookup 16
    80000: from 192.168.200.0/24 lookup 16

and neutron l3 agent will use this command

ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
del priority 80000 table 16 type unicast

and 192.168.100.0/24 rule will get deleted even if you actually removed
a port on 192.168.200.0.

    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.

additional changes:

    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.

    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.

Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
Closes-Bug: #1759956

Reviewed:  https://review.openstack.org/557836
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=81db328b2df08f2b4adcc80104cf05ad8966c019
Submitter: Zuul
Branch:    master

commit 81db328b2df08f2b4adcc80104cf05ad8966c019
Author: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Date:   Thu Mar 29 17:32:01 2018 -0400

Use cidr during tenant network rule deletion
    
    If a distributed router has interfaces on multiple tenant networks, with
    'fast exit' functionality policy based rules are created in qrouter
    namespace for every tenant network subnet and 'from <cidr>' is included
    into an 'ip rule' command invocation.
    
    When a port on a tenant network is deleted 'from <cidr>' part is not
    included and a first rule matching specified parameters gets deleted.
    
    For example with the following layout
    
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
    0:      from all lookup local
    32766:  from all lookup main
    32767:  from all lookup default
    80000:  from 192.168.100.0/24 lookup 16
    80000:  from 192.168.200.0/24 lookup 16
    
    and neutron l3 agent will use this command
    
    ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
    del priority 80000 table 16 type unicast
    
    and 192.168.100.0/24 rule will get deleted even if you actually removed
    a port on 192.168.200.0.
    
    This results in an extra rule present and not cleaned up and the right
    rule removed. It is only recreated if a router is disabled and enabled
    again.
    
    additional changes:
    
    1) Floating IP rules are identified by priority only as implemented
    currently - for this reason this change adds fixed_ip to the rule
    removal code. Rule priorities are 32-bit values in iproute2 so,
    in theory, those should be not be used to cover IPv6.
    
    2) IP protocol information for 'from all' rules is currently
    derived from link-local address IP version. The same approach
    is preserved by using version-specific /0 addresses without
    changing the API provided by ip_lib.
    
    Change-Id: I0ea6dddd26e17771be223a1fbdf21792c90f3e9c
    Closes-Bug: #1759956