Allow operator to disable usage of random-fully
In some specific use case, the cloud operator expects the source port of a packet to stay the same across all masquerading layer up to the destination host. With the implementation of the random-fully code, this behavior was changed as source_port is always rewritten no matter which type of architecture / network CIDRs is being used in the backend. This setting allows a user to fallback to the original behavior of the masquerading process which is to keep the source_port consistent across all layers. The initial random-fully fix prevents packet drops when duplicate tuples are generated from two different namespace when the source_ip:source_port goes toward the same destination so enabling this setting would allow this issue to show again. Perhaps a right approach here would be to fix this "racey" situation in the kernel by perhaps using the mac address as a seed to the tuple ... Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5 Closes-bug: #1987396
This commit is contained in:
parent
7a743ad1d9
commit
bbefe5285e
@ -497,6 +497,10 @@ class IptablesManager(object):
|
|||||||
version = self._get_version()
|
version = self._get_version()
|
||||||
self.__class__._random_fully = utils.is_version_greater_equal(
|
self.__class__._random_fully = utils.is_version_greater_equal(
|
||||||
version, n_const.IPTABLES_RANDOM_FULLY_VERSION)
|
version, n_const.IPTABLES_RANDOM_FULLY_VERSION)
|
||||||
|
|
||||||
|
self._random_fully = self._random_fully and \
|
||||||
|
cfg.CONF.AGENT.use_random_fully
|
||||||
|
|
||||||
return self._random_fully
|
return self._random_fully
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
@ -134,6 +134,9 @@ IPTABLES_OPTS = [
|
|||||||
"of iptables-save. This option should not be turned "
|
"of iptables-save. This option should not be turned "
|
||||||
"on for production systems because it imposes a "
|
"on for production systems because it imposes a "
|
||||||
"performance penalty.")),
|
"performance penalty.")),
|
||||||
|
cfg.BoolOpt('use_random_fully',
|
||||||
|
default=True,
|
||||||
|
help=_("Use random-fully in SNAT masquerade rules.")),
|
||||||
]
|
]
|
||||||
|
|
||||||
PROCESS_MONITOR_OPTS = [
|
PROCESS_MONITOR_OPTS = [
|
||||||
|
15
releasenotes/notes/use_random_fully-527b20bc524c308a.yaml
Normal file
15
releasenotes/notes/use_random_fully-527b20bc524c308a.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add ``use_random_fully`` setting to allow an operator to disable
|
||||||
|
the iptables random-fully property on an iptable rules.
|
||||||
|
issues:
|
||||||
|
- |
|
||||||
|
If the ``use_random_fully`` setting is disabled, it will prevent
|
||||||
|
random fully from being used and if there're 2 guests in different
|
||||||
|
networks using the same source_ip and source_port and they try to
|
||||||
|
reach the same dest_ip and dest_port, packets might be dropped in
|
||||||
|
the kernel do to the racy tuple generation . Disabling this
|
||||||
|
setting should only be done if source_port is really important such
|
||||||
|
as in network firewall ACLs and that the source_ip are never repeating
|
||||||
|
within the platform.
|
Loading…
Reference in New Issue
Block a user