Merge "Allow operator to disable usage of random-fully" into stable/ussuri

This commit is contained in:
Zuul 2022-08-30 21:30:36 +00:00 committed by Gerrit Code Review
commit fdacb80cc9
3 changed files with 22 additions and 0 deletions

View File

@ -498,6 +498,10 @@ class IptablesManager(object):
version = self._get_version() version = self._get_version()
self.__class__._random_fully = utils.is_version_greater_equal( self.__class__._random_fully = utils.is_version_greater_equal(
version, n_const.IPTABLES_RANDOM_FULLY_VERSION) version, n_const.IPTABLES_RANDOM_FULLY_VERSION)
self._random_fully = self._random_fully and \
cfg.CONF.AGENT.use_random_fully
return self._random_fully return self._random_fully
@property @property

View File

@ -139,6 +139,9 @@ IPTABLES_OPTS = [
"of iptables-save. This option should not be turned " "of iptables-save. This option should not be turned "
"on for production systems because it imposes a " "on for production systems because it imposes a "
"performance penalty.")), "performance penalty.")),
cfg.BoolOpt('use_random_fully',
default=True,
help=_("Use random-fully in SNAT masquerade rules.")),
] ]
PROCESS_MONITOR_OPTS = [ PROCESS_MONITOR_OPTS = [

View File

@ -0,0 +1,15 @@
---
features:
- |
Add ``use_random_fully`` setting to allow an operator to disable
the iptables random-fully property on an iptable rules.
issues:
- |
If the ``use_random_fully`` setting is disabled, it will prevent
random fully from being used and if there're 2 guests in different
networks using the same source_ip and source_port and they try to
reach the same dest_ip and dest_port, packets might be dropped in
the kernel do to the racy tuple generation . Disabling this
setting should only be done if source_port is really important such
as in network firewall ACLs and that the source_ip are never repeating
within the platform.