Fix iptable rules when chain reference count is 0 by ravening · Pull Request #5328 · apache/cloudstack

ravening · 2021-08-17T14:54:23Z

Description

Sometimes the chain reference count is 0 and in that case
proper iptables rules are not applied. Because of this, ping fails.
So check the reference count for the main chain and as well as
-IN and -OUT chain as well

Types of changes

Breaking change (fix or feature that would cause existing functionality to change)
New feature (non-breaking change which adds functionality)
Bug fix (non-breaking change which fixes an issue)
Enhancement (improves an existing feature and functionality)
Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Major
Minor

Bug Severity

Screenshots (if appropriate):

Before the fix

Iptable rules on NON working node

# iptables -n -L | grep BF-brbond0-94
BF-brbond0-94  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
BF-brbond0-94  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
Chain BF-brbond0-94 (2 references)
Chain BF-brbond0-94-IN (0 references) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Chain BF-brbond0-94-OUT (0 references)

# iptables-save |grep -w BF-brbond0-94
:BF-brbond0-94 - [0:0]
:BF-brbond0-94-IN - [0:0]
:BF-brbond0-94-OUT - [0:0]
-A FORWARD -o brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
-A FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
-A BF-brbond0-94-IN -m physdev --physdev-in vnet7 --physdev-is-bridged -j i-2-6394-def
-A BF-brbond0-94-OUT -m physdev --physdev-out vnet7 --physdev-is-bridged -j i-2-6394-def

The iptables-save command is missing bond rule

iptable rules on WORKING node

# iptables -n -L | grep BF-brbond0-94
BF-brbond0-94  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
BF-brbond0-94  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
Chain BF-brbond0-94 (2 references)
BF-brbond0-94-IN  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-in --physdev-is-bridged
BF-brbond0-94-OUT  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-out --physdev-is-bridged
Chain BF-brbond0-94-IN (1 references)
Chain BF-brbond0-94-OUT (1 references) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

# iptables-save |grep -w BF-brbond0-94
:BF-brbond0-94 - [0:0]
:BF-brbond0-94-IN - [0:0]
:BF-brbond0-94-OUT - [0:0]
-A FORWARD -o brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
-A FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
-A BF-brbond0-94 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BF-brbond0-94 -m physdev --physdev-is-in --physdev-is-bridged -j BF-brbond0-94-IN <<<<<<<<<<<<<<<<<<<
-A BF-brbond0-94 -m physdev --physdev-is-out --physdev-is-bridged -j BF-brbond0-94-OUT <<<<<<<<<<<<<<<<
-A BF-brbond0-94 -m physdev --physdev-out bond0.94 --physdev-is-bridged -j ACCEPT <<<<<<<<<<<<<<<<<<<<

After the fix

iptable rules from the security_group.log file

2021-08-17 14:42:54,168 - bridge -o link show | awk '/master brbond0-94 / && !/^[0-9]+: vnet/ {print $2}' | head -1 | cut -d ':' -f1
2021-08-17 14:42:54,183 - iptables -n -L BF-brbond0-94 | awk '/BF-brbond0-94(.*)references/ {gsub(/\(/, "") ;print $3}'
2021-08-17 14:42:54,192 - iptables -n -L BF-brbond0-94-IN | awk '/BF-brbond0-94-IN(.*)references/ {gsub(/\(/, "") ;print $3}'
2021-08-17 14:42:54,201 - iptables -n -L BF-brbond0-94-OUT | awk '/BF-brbond0-94-OUT(.*)references/ {gsub(/\(/, "") ;print $3}'
2021-08-17 14:42:54,209 - ip6tables -n -L BF-brbond0-94 | awk '/BF-brbond0-94(.*)references/ {gsub(/\(/, "") ;print $3}'
2021-08-17 14:42:54,213 - ip6tables -I FORWARD -i brbond0-94 -j DROP
2021-08-17 14:42:54,217 - ip6tables -I FORWARD -o brbond0-94 -j DROP
2021-08-17 14:42:54,220 - ip6tables -I FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
2021-08-17 14:42:54,224 - ip6tables -I FORWARD -o brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94
2021-08-17 14:42:54,228 - ip6tables -A BF-brbond0-94 -m state --state RELATED,ESTABLISHED -j ACCEPT
2021-08-17 14:42:54,231 - ip6tables -A BF-brbond0-94 -m physdev --physdev-is-bridged --physdev-is-in -j BF-brbond0-94-IN
2021-08-17 14:42:54,235 - ip6tables -A BF-brbond0-94 -m physdev --physdev-is-bridged --physdev-is-out -j BF-brbond0-94-OUT
2021-08-17 14:42:54,239 - ip6tables -A BF-brbond0-94 -m physdev --physdev-is-bridged --physdev-out bond0.94 -j ACCEPT
2021-08-17 14:42:54,243 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-08-17 14:42:54,272 - iptables-save | awk '/BF(.*)physdev-is-bridged(.*)i-2-6394-def/ { sub(/-A/, "-D", $1) ; print }'
2021-08-17 14:42:54,293 - ip6tables-save | awk '/BF(.*)physdev-is-bridged(.*)i-2-6394-def/ { sub(/-A/, "-D", $1) ; print }'
2021-08-17 14:42:54,299 - ebtables -t nat -L PREROUTING | grep i-2-6394-VM

How Has This Been Tested?

Sometimes the chain reference count is 0 and in that case proper iptables rules are not applied. Because of this, ping fails. So check the reference count for the main chain and as well as -IN and -OUT chain as well

ravening · 2021-08-17T14:57:18Z

@rhtyd @weizhouapache please review

GabrielBrascher

Code LGTM.
What do you think @weizhouapache @rhtyd @wido @DaanHoogland?

weizhouapache · 2021-08-18T06:18:55Z

code lgtm.

however I am more interested in what cause the issue.
could you please upload security_group.log ? @ravening

ravening · 2021-08-18T07:20:31Z

code lgtm.

however I am more interested in what cause the issue.
could you please upload security_group.log ? @ravening

@weizhouapache I really dont know what caused the issue in first place.

Do you want the entire file to be uploaded? its around 100MB

yadvr · 2021-08-18T07:45:50Z

scripts/vm/network/security_group.py

        refs6 = int(execute("""ip6tables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())

-        if refs == 0:
+        if refs == 0 or refs_in == 0 or refs_out == 0:


Shouldn't we always have a drop as the catchall/default rule at the end of the chain?

@rhtyd
which chain do you mean ? FORWARD, brfw, brfwin or brfwout ?
there are some DROP rules in FORWARD chain and vm chains (i-x-x-def and i-x-x-VM/i-x-x-VM-eg)

there is a component test which verify the iptables/ebtables rules on host
test/integration/component/test_multiple_nic_support.py

we can run the test as well.

weizhouapache · 2021-08-18T07:47:35Z

code lgtm.
however I am more interested in what cause the issue.
could you please upload security_group.log ? @ravening

@weizhouapache I really dont know what caused the issue in first place.

Do you want the entire file to be uploaded? its around 100MB

@ravening
could you search "iptables -F BF-brbond0-94" in the file ?

weizhouapache · 2021-08-18T11:26:54Z

@blueorangutan package

blueorangutan · 2021-08-18T11:28:02Z

@weizhouapache a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

ravening · 2021-08-18T11:28:04Z

@weizhouapache this is all I found

2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94
2021-07-02 08:45:02,066 - ip6tables -F BF-brbond0-94
2021-07-02 08:45:02,077 - Command exited non-zero: ip6tables -F BF-brbond0-94

weizhouapache · 2021-08-18T11:54:52Z

@ravening can you please upload the logs near this timeslot ?

blueorangutan · 2021-08-18T11:57:47Z

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian. SL-JID 908

ravening · 2021-08-18T12:42:55Z

@weizhouapache

2021-07-02 08:45:01,700 - iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
2021-07-02 08:45:01,736 - Command exited non-zero: iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-24-def' returned non-zero exit status 1
2021-07-02 08:45:01,738 - iptables rules do not exist, programming default rules for i-11-2468-VM vnet60
2021-07-02 08:45:01,738 - modprobe br_netfilter
2021-07-02 08:45:01,742 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:01,747 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:01,751 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:01,756 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:01,794 - iptables -L BF-brbond0-94
2021-07-02 08:45:01,807 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:01,818 - iptables -L BF-brbond0-94-IN


2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94


2021-07-02 08:45:02,066 - ip6tables -F BF-brbond0-94
2021-07-02 08:45:02,077 - Command exited non-zero: ip6tables -F BF-brbond0-94
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 1345, in add_fw_framework
    execute('ip6tables -I FORWARD -i ' + brname + ' -m physdev --physdev-is-bridged -j ' + brfw)
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -I FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94' returned non-zero exit status 2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -F BF-brbond0-94' returned non-zero exit status 1


2021-07-02 08:45:02,272 - iptables -F i-11-2468-VM
2021-07-02 08:45:02,281 - Command exited non-zero: iptables -F i-11-2468-VM
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables -F i-11-2468-VM' returned non-zero exit status 1
2021-07-02 08:45:02,285 - Error flushing iptables rules for i-11-2468-VM. Presuming firewall rules deleted, re-initializing.
2021-07-02 08:45:02,285 - modprobe br_netfilter
2021-07-02 08:45:02,293 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:02,297 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:02,300 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:02,306 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:02,345 - iptables -L BF-brbond0-94
2021-07-02 08:45:02,358 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:02,372 - iptables -L BF-brbond0-94-IN
2021-07-02 08:45:02,385 - ip6tables -L BF-brbond0-94

weizhouapache · 2021-08-18T14:36:36Z

@weizhouapache

2021-07-02 08:45:01,700 - iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
2021-07-02 08:45:01,736 - Command exited non-zero: iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-24-def' returned non-zero exit status 1
2021-07-02 08:45:01,738 - iptables rules do not exist, programming default rules for i-11-2468-VM vnet60
2021-07-02 08:45:01,738 - modprobe br_netfilter
2021-07-02 08:45:01,742 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:01,747 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:01,751 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:01,756 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:01,794 - iptables -L BF-brbond0-94
2021-07-02 08:45:01,807 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:01,818 - iptables -L BF-brbond0-94-IN


2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94


2021-07-02 08:45:02,066 - ip6tables -F BF-brbond0-94
2021-07-02 08:45:02,077 - Command exited non-zero: ip6tables -F BF-brbond0-94
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 1345, in add_fw_framework
    execute('ip6tables -I FORWARD -i ' + brname + ' -m physdev --physdev-is-bridged -j ' + brfw)
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -I FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94' returned non-zero exit status 2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -F BF-brbond0-94' returned non-zero exit status 1


2021-07-02 08:45:02,272 - iptables -F i-11-2468-VM
2021-07-02 08:45:02,281 - Command exited non-zero: iptables -F i-11-2468-VM
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables -F i-11-2468-VM' returned non-zero exit status 1
2021-07-02 08:45:02,285 - Error flushing iptables rules for i-11-2468-VM. Presuming firewall rules deleted, re-initializing.
2021-07-02 08:45:02,285 - modprobe br_netfilter
2021-07-02 08:45:02,293 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:02,297 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:02,300 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:02,306 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:02,345 - iptables -L BF-brbond0-94
2021-07-02 08:45:02,358 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:02,372 - iptables -L BF-brbond0-94-IN
2021-07-02 08:45:02,385 - ip6tables -L BF-brbond0-94

@ravening is there any log between

2021-07-02 08:45:01,794 - iptables -L BF-brbond0-94
2021-07-02 08:45:01,807 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:01,818 - iptables -L BF-brbond0-94-IN

and

2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94

?

ravening · 2021-08-19T07:23:06Z

@weizhouapache

2021-07-02 08:45:01,700 - iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
2021-07-02 08:45:01,736 - Command exited non-zero: iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-2468-def
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables-save |grep -w BF-brbond0-94 |grep -w vnet60 |grep -w i-11-24-def' returned non-zero exit status 1
2021-07-02 08:45:01,738 - iptables rules do not exist, programming default rules for i-11-2468-VM vnet60
2021-07-02 08:45:01,738 - modprobe br_netfilter
2021-07-02 08:45:01,742 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:01,747 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:01,751 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:01,756 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:01,794 - iptables -L BF-brbond0-94
2021-07-02 08:45:01,807 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:01,818 - iptables -L BF-brbond0-94-IN


2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94


2021-07-02 08:45:02,066 - ip6tables -F BF-brbond0-94
2021-07-02 08:45:02,077 - Command exited non-zero: ip6tables -F BF-brbond0-94
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 1345, in add_fw_framework
    execute('ip6tables -I FORWARD -i ' + brname + ' -m physdev --physdev-is-bridged -j ' + brfw)
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -I FORWARD -i brbond0-94 -m physdev --physdev-is-bridged -j BF-brbond0-94' returned non-zero exit status 2

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'ip6tables -F BF-brbond0-94' returned non-zero exit status 1


2021-07-02 08:45:02,272 - iptables -F i-11-2468-VM
2021-07-02 08:45:02,281 - Command exited non-zero: iptables -F i-11-2468-VM
Traceback (most recent call last):
  File "/usr/share/cloudstack-common/scripts/vm/network/security_group.py", line 53, in execute
    return check_output(cmd, shell=True).decode()
  File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.5/subprocess.py", line 708, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'iptables -F i-11-2468-VM' returned non-zero exit status 1
2021-07-02 08:45:02,285 - Error flushing iptables rules for i-11-2468-VM. Presuming firewall rules deleted, re-initializing.
2021-07-02 08:45:02,285 - modprobe br_netfilter
2021-07-02 08:45:02,293 - sysctl -w net.bridge.bridge-nf-call-arptables=1
2021-07-02 08:45:02,297 - sysctl -w net.bridge.bridge-nf-call-iptables=1
2021-07-02 08:45:02,300 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1
2021-07-02 08:45:02,306 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brbond0-94|awk '{print $9}' | head -1
2021-07-02 08:45:02,345 - iptables -L BF-brbond0-94
2021-07-02 08:45:02,358 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:02,372 - iptables -L BF-brbond0-94-IN
2021-07-02 08:45:02,385 - ip6tables -L BF-brbond0-94

@ravening is there any log between

2021-07-02 08:45:01,794 - iptables -L BF-brbond0-94
2021-07-02 08:45:01,807 - iptables -L BF-brbond0-94-OUT
2021-07-02 08:45:01,818 - iptables -L BF-brbond0-94-IN

and

2021-07-02 08:45:02,040 - iptables -F BF-brbond0-94

?

@weizhouapache nope .. no other logs in between

weizhouapache

lgtm , based on the component test test_multiple_nic_support.py

Create Vm with multiple NIC's ... === TestName: test_01_create_vm_with_multiple_nics | Status : SUCCESS ===
ok
Create VM with single NIC and then add additional NIC ... === TestName: test_02_add_nic_to_vm | Status : SUCCESS ===
ok
Add secondary IP's to the VM ... === TestName: test_03_add_ip_to_default_nic | Status : SUCCESS ===
ok
Add secondary IP's to remaining NIC's ... === TestName: test_04_add_ip_to_remaining_nics | Status : SUCCESS ===
ok
Stop and Start a VM with Multple NIC ... === TestName: test_05_stop_start_vm_with_multiple_nic | Status : SUCCESS ===
ok
Migrate a VM with Multple NIC ... === TestName: test_06_migrate_vm_with_multiple_nic | Status : SUCCESS ===
ok
Remove secondary IP from any NIC ... === TestName: test_07_remove_secondary_ip_from_nic | Status : SUCCESS ===
ok
Remove NIC from VM ... === TestName: test_08_remove_nic_from_vm | Status : SUCCESS ===
ok
Reboot a VM with Multple NIC ... === TestName: test_09_reboot_vm_with_multiple_nic | Status : SUCCESS ===
ok

----------------------------------------------------------------------
Ran 9 tests in 320.685s

OK

Fix iptable rules when chain reference count is 0

96d3494

Sometimes the chain reference count is 0 and in that case proper iptables rules are not applied. Because of this, ping fails. So check the reference count for the main chain and as well as -IN and -OUT chain as well

GabrielBrascher added this to the 4.15.2.0 milestone Aug 17, 2021

GabrielBrascher added the component:security-group label Aug 17, 2021

GabrielBrascher assigned ravening Aug 17, 2021

GabrielBrascher approved these changes Aug 17, 2021

View reviewed changes

yadvr reviewed Aug 18, 2021

View reviewed changes

weizhouapache approved these changes Aug 20, 2021

View reviewed changes

DaanHoogland merged commit c1fc002 into apache:4.15 Aug 20, 2021

Conversation

ravening commented Aug 17, 2021

Description

Types of changes

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Bug Severity

Screenshots (if appropriate):

How Has This Been Tested?

Uh oh!

ravening commented Aug 17, 2021

Uh oh!

GabrielBrascher left a comment

Choose a reason for hiding this comment

Uh oh!

weizhouapache commented Aug 18, 2021

Uh oh!

ravening commented Aug 18, 2021

Uh oh!

yadvr Aug 18, 2021

Choose a reason for hiding this comment

Uh oh!

weizhouapache Aug 18, 2021

Choose a reason for hiding this comment

Uh oh!

weizhouapache commented Aug 18, 2021

Uh oh!

weizhouapache commented Aug 18, 2021

Uh oh!

blueorangutan commented Aug 18, 2021

Uh oh!

ravening commented Aug 18, 2021

Uh oh!

weizhouapache commented Aug 18, 2021

Uh oh!

blueorangutan commented Aug 18, 2021

Uh oh!

ravening commented Aug 18, 2021

Uh oh!

weizhouapache commented Aug 18, 2021

Uh oh!

ravening commented Aug 19, 2021

Uh oh!

weizhouapache left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants