openstack
/
neutron
Code Issues Proposed changes

Add locks for setting iptables rules in l3 and metadata agents 

Router_info class and metadata agent's driver are using same
instance of the iptables manager class and it could happend that
sometimes e.g. nat rule which packets send to 169.254.169.254:80
redirects to the port 9697 so haproxy can process them, can be missed as
they will be overwritten by the Router_info class manipulating other
rules in the same 'nat' rules list.

This patch fixed that by adding lock for methods which are changing
rules in iptables_manager's nat table in both router_info and
the metadata agent's driver.

Conflicts:
    neutron/agent/metadata/driver.py

Closes-Bug: #1920778
Change-Id: Ic3a324c0e608c7afc4b15dbc8becd33b75ee78f6
(cherry picked from commit af3c1b8442)
(cherry picked from commit c028839647)
(cherry picked from commit 7af0b713ff)
This commit is contained in:
Slawek Kaplonski 2021-03-24 12:02:14 +01:00 committed by Bernard Cafarelli
parent 1175917f74
commit 657dccc566
No known key found for this signature in database
GPG Key ID: D148244A3C2462BD
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
neutron/agent/metadata/driver.py
View File

@ -30,6 +30,7 @@ from neutron.agent.l3 import ha_router
from neutron.agent.l3 import namespaces
from neutron.agent.linux import external_process
from neutron.agent.linux import utils as linux_utils
from neutron.common import coordination
LOG = logging.getLogger(__name__)
@ -267,13 +268,7 @@ class MetadataDriver(object):
def after_router_added(resource, event, l3_agent, **kwargs):
router = kwargs['router']
proxy = l3_agent.metadata_driver
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
proxy.metadata_access_mark):
router.iptables_manager.ipv4['filter'].add_rule(c, r)
for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
router.iptables_manager.ipv4['nat'].add_rule(c, r)
router.iptables_manager.apply()
apply_metadata_nat_rules(router, proxy)
if not isinstance(router, ha_router.HaRouter):
proxy.spawn_monitored_metadata_proxy(
l3_agent.process_monitor,
@ -304,3 +299,13 @@ def before_router_removed(resource, event, l3_agent, payload=None):
router.router['id'],
l3_agent.conf,
router.ns_name)
@coordination.synchronized('router-lock-ns-{router.ns_name}')
def apply_metadata_nat_rules(router, proxy):
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
proxy.metadata_access_mark):
router.iptables_manager.ipv4['filter'].add_rule(c, r)
for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
router.iptables_manager.ipv4['nat'].add_rule(c, r)
router.iptables_manager.apply()