Add locks for setting iptables rules in l3 and metadata agents
Router_info class and metadata agent's driver are using same instance of the iptables manager class and it could happend that sometimes e.g. nat rule which packets send to 169.254.169.254:80 redirects to the port 9697 so haproxy can process them, can be missed as they will be overwritten by the Router_info class manipulating other rules in the same 'nat' rules list. This patch fixed that by adding lock for methods which are changing rules in iptables_manager's nat table in both router_info and the metadata agent's driver. Closes-Bug: #1920778 Change-Id: Ic3a324c0e608c7afc4b15dbc8becd33b75ee78f6
This commit is contained in:
parent
493286511d
commit
af3c1b8442
@ -33,6 +33,7 @@ from neutron.agent.l3 import namespaces
|
||||
from neutron.agent.linux import external_process
|
||||
from neutron.agent.linux import ip_lib
|
||||
from neutron.agent.linux import utils as linux_utils
|
||||
from neutron.common import coordination
|
||||
from neutron.common import utils as common_utils
|
||||
|
||||
|
||||
@ -307,26 +308,10 @@ class MetadataDriver(object):
|
||||
def after_router_added(resource, event, l3_agent, **kwargs):
|
||||
router = kwargs['router']
|
||||
proxy = l3_agent.metadata_driver
|
||||
ipv6_enabled = netutils.is_ipv6_enabled()
|
||||
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
|
||||
proxy.metadata_access_mark):
|
||||
router.iptables_manager.ipv4['filter'].add_rule(c, r)
|
||||
if ipv6_enabled:
|
||||
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
|
||||
proxy.metadata_access_mark):
|
||||
router.iptables_manager.ipv6['filter'].add_rule(c, r)
|
||||
for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
|
||||
router.iptables_manager.ipv4['nat'].add_rule(c, r)
|
||||
if ipv6_enabled:
|
||||
for c, r in proxy.metadata_nat_rules(
|
||||
proxy.metadata_port,
|
||||
metadata_address=(constants.METADATA_V6_IP + '/128')):
|
||||
router.iptables_manager.ipv6['nat'].add_rule(c, r)
|
||||
router.iptables_manager.apply()
|
||||
|
||||
apply_metadata_nat_rules(router, proxy)
|
||||
if not isinstance(router, ha_router.HaRouter):
|
||||
spawn_kwargs = {}
|
||||
if ipv6_enabled:
|
||||
if netutils.is_ipv6_enabled():
|
||||
spawn_kwargs['bind_address'] = '::'
|
||||
proxy.spawn_monitored_metadata_proxy(
|
||||
l3_agent.process_monitor,
|
||||
@ -362,3 +347,22 @@ def before_router_removed(resource, event, l3_agent, payload=None):
|
||||
router.router['id'],
|
||||
l3_agent.conf,
|
||||
router.ns_name)
|
||||
|
||||
|
||||
@coordination.synchronized('router-lock-ns-{router.ns_name}')
|
||||
def apply_metadata_nat_rules(router, proxy):
|
||||
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
|
||||
proxy.metadata_access_mark):
|
||||
router.iptables_manager.ipv4['filter'].add_rule(c, r)
|
||||
if netutils.is_ipv6_enabled():
|
||||
for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
|
||||
proxy.metadata_access_mark):
|
||||
router.iptables_manager.ipv6['filter'].add_rule(c, r)
|
||||
for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
|
||||
router.iptables_manager.ipv4['nat'].add_rule(c, r)
|
||||
if netutils.is_ipv6_enabled():
|
||||
for c, r in proxy.metadata_nat_rules(
|
||||
proxy.metadata_port,
|
||||
metadata_address=(constants.METADATA_V6_IP + '/128')):
|
||||
router.iptables_manager.ipv6['nat'].add_rule(c, r)
|
||||
router.iptables_manager.apply()
|
||||
|
Loading…
Reference in New Issue
Block a user