From bbefe5285e7ab799422fab81488f57c9c22769b6 Mon Sep 17 00:00:00 2001 From: David Hill Date: Mon, 22 Aug 2022 17:03:49 -0400 Subject: [PATCH] Allow operator to disable usage of random-fully In some specific use case, the cloud operator expects the source port of a packet to stay the same across all masquerading layer up to the destination host. With the implementation of the random-fully code, this behavior was changed as source_port is always rewritten no matter which type of architecture / network CIDRs is being used in the backend. This setting allows a user to fallback to the original behavior of the masquerading process which is to keep the source_port consistent across all layers. The initial random-fully fix prevents packet drops when duplicate tuples are generated from two different namespace when the source_ip:source_port goes toward the same destination so enabling this setting would allow this issue to show again. Perhaps a right approach here would be to fix this "racey" situation in the kernel by perhaps using the mac address as a seed to the tuple ... Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5 Closes-bug: #1987396 --- neutron/agent/linux/iptables_manager.py | 4 ++++ neutron/conf/agent/common.py | 3 +++ .../notes/use_random_fully-527b20bc524c308a.yaml | 15 +++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 releasenotes/notes/use_random_fully-527b20bc524c308a.yaml diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index c909df56e98..3df8e8cfc48 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -497,6 +497,10 @@ class IptablesManager(object): version = self._get_version() self.__class__._random_fully = utils.is_version_greater_equal( version, n_const.IPTABLES_RANDOM_FULLY_VERSION) + + self._random_fully = self._random_fully and \ + cfg.CONF.AGENT.use_random_fully + return self._random_fully @property diff --git a/neutron/conf/agent/common.py b/neutron/conf/agent/common.py index 5a069c2b26d..eaa9572a18d 100644 --- a/neutron/conf/agent/common.py +++ b/neutron/conf/agent/common.py @@ -134,6 +134,9 @@ IPTABLES_OPTS = [ "of iptables-save. This option should not be turned " "on for production systems because it imposes a " "performance penalty.")), + cfg.BoolOpt('use_random_fully', + default=True, + help=_("Use random-fully in SNAT masquerade rules.")), ] PROCESS_MONITOR_OPTS = [ diff --git a/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml new file mode 100644 index 00000000000..76fb36590c2 --- /dev/null +++ b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + Add ``use_random_fully`` setting to allow an operator to disable + the iptables random-fully property on an iptable rules. +issues: + - | + If the ``use_random_fully`` setting is disabled, it will prevent + random fully from being used and if there're 2 guests in different + networks using the same source_ip and source_port and they try to + reach the same dest_ip and dest_port, packets might be dropped in + the kernel do to the racy tuple generation . Disabling this + setting should only be done if source_port is really important such + as in network firewall ACLs and that the source_ip are never repeating + within the platform.