Avoid re-adding iptables rules for instances that have disappeared

The remove_filters_for_instance() method fails silently if the instance's chain is gone (i.e. it's been deleted). If this happens while we're refreshing security group rules, we will not notice this case and re-add stale rules for an old instance, breaking our firewall for new instances. This adds a quick check after we've captured the lock to see if the associated chain exists, and bails if it doesn't. Change-Id: Ic75988939f82de49735d85fe99a9eecd4baf45c9 Related-bug: #1182131
2014-07-03 08:09:39 -07:00
parent c4080c9760
commit 6aa368b992
3 changed files with 38 additions and 0 deletions
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -24,6 +24,7 @@ from nova import objects
 from nova.objects import security_group as security_group_obj
 from nova.objects import security_group_rule as security_group_rule_obj
 from nova.openstack.common.gettextutils import _
+from nova.openstack.common.gettextutils import _LI
 from nova.openstack.common import importutils
 from nova.openstack.common import log as logging
 from nova import utils
@@ -442,6 +443,13 @@ class IptablesFirewallDriver(FirewallDriver):
    @utils.synchronized('iptables', external=True)
    def _inner_do_refresh_rules(self, instance, network_info, ipv4_rules,
                                ipv6_rules):
+        chain_name = self._instance_chain_name(instance)
+        if not self.iptables.ipv4['filter'].has_chain(chain_name):
+            LOG.info(
+                _LI('instance chain %s disappeared during refresh, '
+                    'skipping') % chain_name,
+                instance=instance)
+            return
        self.remove_filters_for_instance(instance)
        self.add_filters_for_instance(instance, network_info, ipv4_rules,
                                      ipv6_rules)