From 657dccc566bc5699c2eea5b7ae6c10c24329b8b2 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Wed, 24 Mar 2021 12:02:14 +0100 Subject: [PATCH] Add locks for setting iptables rules in l3 and metadata agents Router_info class and metadata agent's driver are using same instance of the iptables manager class and it could happend that sometimes e.g. nat rule which packets send to 169.254.169.254:80 redirects to the port 9697 so haproxy can process them, can be missed as they will be overwritten by the Router_info class manipulating other rules in the same 'nat' rules list. This patch fixed that by adding lock for methods which are changing rules in iptables_manager's nat table in both router_info and the metadata agent's driver. Conflicts: neutron/agent/metadata/driver.py Closes-Bug: #1920778 Change-Id: Ic3a324c0e608c7afc4b15dbc8becd33b75ee78f6 (cherry picked from commit af3c1b84427cbe4c9d3dce8fc901ad0b099c5917) (cherry picked from commit c028839647d6900997cf38b5eec63b7698515dec) (cherry picked from commit 7af0b713ff21e27889f7b322b736cab4b0dadaf9) --- neutron/agent/metadata/driver.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py index 37cbc1a2734..e07dbf19522 100644 --- a/neutron/agent/metadata/driver.py +++ b/neutron/agent/metadata/driver.py @@ -30,6 +30,7 @@ from neutron.agent.l3 import ha_router from neutron.agent.l3 import namespaces from neutron.agent.linux import external_process from neutron.agent.linux import utils as linux_utils +from neutron.common import coordination LOG = logging.getLogger(__name__) @@ -267,13 +268,7 @@ class MetadataDriver(object): def after_router_added(resource, event, l3_agent, **kwargs): router = kwargs['router'] proxy = l3_agent.metadata_driver - for c, r in proxy.metadata_filter_rules(proxy.metadata_port, - proxy.metadata_access_mark): - router.iptables_manager.ipv4['filter'].add_rule(c, r) - for c, r in proxy.metadata_nat_rules(proxy.metadata_port): - router.iptables_manager.ipv4['nat'].add_rule(c, r) - router.iptables_manager.apply() - + apply_metadata_nat_rules(router, proxy) if not isinstance(router, ha_router.HaRouter): proxy.spawn_monitored_metadata_proxy( l3_agent.process_monitor, @@ -304,3 +299,13 @@ def before_router_removed(resource, event, l3_agent, payload=None): router.router['id'], l3_agent.conf, router.ns_name) + + +@coordination.synchronized('router-lock-ns-{router.ns_name}') +def apply_metadata_nat_rules(router, proxy): + for c, r in proxy.metadata_filter_rules(proxy.metadata_port, + proxy.metadata_access_mark): + router.iptables_manager.ipv4['filter'].add_rule(c, r) + for c, r in proxy.metadata_nat_rules(proxy.metadata_port): + router.iptables_manager.ipv4['nat'].add_rule(c, r) + router.iptables_manager.apply()