Reviewed: https://review.opendev.org/746336 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5eca44bfa850e6e75c9974ae7711b87764628253 Submitter: Zuul Branch: master
commit 5eca44bfa850e6e75c9974ae7711b87764628253 Author: Edward Hope-Morley <edward.hope-mor...@canonical.com> Date: Fri Aug 14 17:44:54 2020 +0100 Ensure fip ip rules deleted when fip removed The information needed to delete ip rules associated with fips is held in memory between add and remove so a restart of the l3-agent results in any fips that existed before the restart having their ip rules persist after the fips are removed. This patch enures that an agent restart reloads this information so that ip rules associated with a fip are correctly removed when the fip is removed. Change-Id: If656a703c996ccc7719b1b09d793c5bbdfd6f3c1 Closes-Bug: #1891673 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1891673 Title: qrouter ns ip rules not deleted when fip removed from vm Status in Ubuntu Cloud Archive: New Status in Ubuntu Cloud Archive queens series: New Status in Ubuntu Cloud Archive rocky series: New Status in Ubuntu Cloud Archive stein series: New Status in Ubuntu Cloud Archive train series: New Status in Ubuntu Cloud Archive ussuri series: New Status in Ubuntu Cloud Archive victoria series: New Status in neutron: Fix Released Bug description: With Bionic Stein using dvr_snat if I add a floating ip to a vm then remove the floating ip, the corresponding ip rules in the associated qrouter ns local to the instance are not deleted which results in no longer being able to reach the external network because packets are still sent to the fip namespace (via rfp-/fpr-) e.g. in my compute host running a vm whose address is 192.168.21.28 for which i have removed the fip I still see: # ip netns exec qrouter-5e45608f-33d4-41bf-b3ba-915adf612e65 ip rule list 0: from all lookup local 32765: from 192.168.21.28 lookup 16 32766: from all lookup main 32767: from all lookup default 3232240897: from 192.168.21.1/24 lookup 3232240897 3232241231: from 192.168.22.79/24 lookup 3232241231 And table 16 leads to: # ip netns exec qrouter-5e45608f-33d4-41bf-b3ba-915adf612e65 ip route show table 16 default via 169.254.109.249 dev rfp-5e45608f-3 Which results in the instance no longer being able to reach the external network (packets are never sent to the snat- ns in my case). The workaround is to delete that ip rule but neutron should be taking care of this. Looks like the culprit is in neutron/agent/l3/dvr_local_router.py:floating_ip_removed_dist Note that the NAT rules were successfully removed from iptables so looks like it is just this bit that is left behind. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1891673/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp