[Yahoo-eng-team] [Bug 1528137] Re: creating meter label rule doesn't work properly
Reviewed: https://review.openstack.org/260323 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6659a935589bf0e4ab57616c256b94f77d2ef107 Submitter: Jenkins Branch:master commit 6659a935589bf0e4ab57616c256b94f77d2ef107 Author: Yu FukuyamaDate: Tue Dec 22 05:17:30 2015 + Fix meter label rule creation In the case of outbound traffic, set remote_ip to dst. In the case of inbound traffic, set remote_ip to src. Change-Id: I7f27b93efa67baf3efccaa94f6a1337d6886e230 Closes-Bug: #1528137 DocImpact: Clarify remote_ip_prefix description of metering label rule in API site ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1528137 Title: creating meter label rule doesn't work properly Status in neutron: Fix Released Bug description: Created rule by the following API counts packets between a router which connects to external network and the connection destination device. API: POST /v2.0/metering/metering-label-rules When outbound traffic of external router, destination should be remote_ip, and when inbound traffic, sender should be remote_ip. But it has become actually reversed. Because option for creating the iptables rule is reversed. code: https://github.com/openstack/neutron/blob/master/neutron/services/metering/drivers/iptables/iptables_driver.py#L176 I'll show you an example that created the meter label rule the remote_ip is set to 192.168.0.0/16. [Actual results] $ neutron meter-label-create test-label --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | d35d0464-f872-43c7-8dd8-850657da59ef | | name| test-label | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-create test-label2 --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f | | name| test-label2 | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction egress d35d0464-f872-43c7-8dd8-850657da59ef 192.168.0.0/16 $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction ingress 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f 192.168.0.0/16 $ neutron meter-label-rule-list +--+--+---+--+ | id | excluded | direction | remote_ip_prefix | +--+--+---+--+ | 3e426537-61f4-44ac-a67a-e66ce26dc11b | False| egress| 192.168.0.0/16 | | 4d669406-173c-4eea-af21-00430719cbfa | False| ingress | 192.168.0.0/16 | +--+--+---+--+ $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables-save ... -A neutron-meter-r-61c344ce-043 -d 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -s 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 ... [The expected iptables rules] -A neutron-meter-r-61c344ce-043 -s 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -d 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 [Examples of required packet is not counted] ubuntu@test-vm(10.0.0.3):~$ ping 192.168.0.3 -c 3 PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data. 64 bytes from 192.168.0.3: icmp_seq=1 ttl=62 time=1.13 ms 64 bytes from 192.168.0.3: icmp_seq=2 ttl=62 time=0.618 ms 64 bytes from 192.168.0.3: icmp_seq=3 ttl=62 time=0.652 ms --- 192.168.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.618/0.801/1.133/0.235 ms $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables -t filter -L neutron-meter-l-d35d0464-f87 -n -v -x
[Yahoo-eng-team] [Bug 1528137] Re: creating meter label rule doesn't work properly
@Atsushi, The description itself is ambiguous. It is not directly related to the bug filed to neutron. I filed bug 1529262 against api-site and will remove api-site from the affected project of this bug. ** No longer affects: openstack-api-site -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1528137 Title: creating meter label rule doesn't work properly Status in neutron: In Progress Bug description: Created rule by the following API counts packets between a router which connects to external network and the connection destination device. API: POST /v2.0/metering/metering-label-rules When outbound traffic of external router, destination should be remote_ip, and when inbound traffic, sender should be remote_ip. But it has become actually reversed. Because option for creating the iptables rule is reversed. code: https://github.com/openstack/neutron/blob/master/neutron/services/metering/drivers/iptables/iptables_driver.py#L176 I'll show you an example that created the meter label rule the remote_ip is set to 192.168.0.0/16. [Actual results] $ neutron meter-label-create test-label --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | d35d0464-f872-43c7-8dd8-850657da59ef | | name| test-label | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-create test-label2 --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f | | name| test-label2 | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction egress d35d0464-f872-43c7-8dd8-850657da59ef 192.168.0.0/16 $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction ingress 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f 192.168.0.0/16 $ neutron meter-label-rule-list +--+--+---+--+ | id | excluded | direction | remote_ip_prefix | +--+--+---+--+ | 3e426537-61f4-44ac-a67a-e66ce26dc11b | False| egress| 192.168.0.0/16 | | 4d669406-173c-4eea-af21-00430719cbfa | False| ingress | 192.168.0.0/16 | +--+--+---+--+ $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables-save ... -A neutron-meter-r-61c344ce-043 -d 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -s 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 ... [The expected iptables rules] -A neutron-meter-r-61c344ce-043 -s 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -d 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 [Examples of required packet is not counted] ubuntu@test-vm(10.0.0.3):~$ ping 192.168.0.3 -c 3 PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data. 64 bytes from 192.168.0.3: icmp_seq=1 ttl=62 time=1.13 ms 64 bytes from 192.168.0.3: icmp_seq=2 ttl=62 time=0.618 ms 64 bytes from 192.168.0.3: icmp_seq=3 ttl=62 time=0.652 ms --- 192.168.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.618/0.801/1.133/0.235 ms $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables -t filter -L neutron-meter-l-d35d0464-f87 -n -v -x Chain neutron-meter-l-d35d0464-f87 (2 references) pkts bytes target prot opt in out source destination 00all -- * * 0.0.0.0/0 0.0.0.0/0 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1528137/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe :
[Yahoo-eng-team] [Bug 1528137] Re: creating meter label rule doesn't work properly
remote_ip_prefix of metering label rule is unclear and should be updated. According to the discussion in the review in neutron, for egress direction, remote_ip_prefix is a destination IP address or ranges and for ingress direction, it means a source IP (range). ** Also affects: openstack-api-site Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1528137 Title: creating meter label rule doesn't work properly Status in neutron: In Progress Status in openstack-api-site: New Bug description: Created rule by the following API counts packets between a router which connects to external network and the connection destination device. API: POST /v2.0/metering/metering-label-rules When outbound traffic of external router, destination should be remote_ip, and when inbound traffic, sender should be remote_ip. But it has become actually reversed. Because option for creating the iptables rule is reversed. code: https://github.com/openstack/neutron/blob/master/neutron/services/metering/drivers/iptables/iptables_driver.py#L176 I'll show you an example that created the meter label rule the remote_ip is set to 192.168.0.0/16. [Actual results] $ neutron meter-label-create test-label --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | d35d0464-f872-43c7-8dd8-850657da59ef | | name| test-label | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-create test-label2 --tenant-id 2a023bd32f014e44b60b591cbd151514 Created a new metering_label: +-+--+ | Field | Value| +-+--+ | description | | | id | 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f | | name| test-label2 | | shared | False| | tenant_id | 2a023bd32f014e44b60b591cbd151514 | +-+--+ $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction egress d35d0464-f872-43c7-8dd8-850657da59ef 192.168.0.0/16 $ neutron meter-label-rule-create --tenant-id 2a023bd32f014e44b60b591cbd151514 --direction ingress 61c344ce-0438-4cd3-bbd8-a4d5e0dbce6f 192.168.0.0/16 $ neutron meter-label-rule-list +--+--+---+--+ | id | excluded | direction | remote_ip_prefix | +--+--+---+--+ | 3e426537-61f4-44ac-a67a-e66ce26dc11b | False| egress| 192.168.0.0/16 | | 4d669406-173c-4eea-af21-00430719cbfa | False| ingress | 192.168.0.0/16 | +--+--+---+--+ $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables-save ... -A neutron-meter-r-61c344ce-043 -d 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -s 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 ... [The expected iptables rules] -A neutron-meter-r-61c344ce-043 -s 192.168.0.0/16 -i qg-708e8abf-bc -j neutron-meter-l-61c344ce-043 -A neutron-meter-r-d35d0464-f87 -d 192.168.0.0/16 -o qg-708e8abf-bc -j neutron-meter-l-d35d0464-f87 [Examples of required packet is not counted] ubuntu@test-vm(10.0.0.3):~$ ping 192.168.0.3 -c 3 PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data. 64 bytes from 192.168.0.3: icmp_seq=1 ttl=62 time=1.13 ms 64 bytes from 192.168.0.3: icmp_seq=2 ttl=62 time=0.618 ms 64 bytes from 192.168.0.3: icmp_seq=3 ttl=62 time=0.652 ms --- 192.168.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.618/0.801/1.133/0.235 ms $ sudo ip netns exec qrouter-b72b789e-8ca9-465e-a2d1-98f725a7042f iptables -t filter -L neutron-meter-l-d35d0464-f87 -n -v -x Chain neutron-meter-l-d35d0464-f87 (2 references) pkts bytes target prot opt in out source destination 00all -- * * 0.0.0.0/0 0.0.0.0/0 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1528137/+subscriptions --