openstack/nova
Code Issues Proposed changes

change the firewall debugging for clarity

Browse Source 
When we are building rules ensure we log the instance['id'] so
we can actually correlate the iptables output to UUID for the
instance.

Also bundle up the security group to iptables translation to a
final view of the world instead of the piecemeal rule at a time
view.

Display what rules are being skipped in the add process, as the
skips seem to happen a lot. If this is completely normal we should
probably delete the bit entirely at some later point.

Related-Bug: #1298472

Change-Id: I0e90c3af9bf908b733ed895ad7c204b0a95ef786
This commit is contained in:
Sean Dague
2014-07-03 08:00:39 -04:00
parent 399166bbef
commit d7ce7cccbc
2 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
nova/network/linux_net.py
View File

@@ -267,7 +267,9 @@ class IptablesTable(object):
rule_obj = IptablesRule(chain, rule, wrap, top) rule_obj = IptablesRule(chain, rule, wrap, top)
if rule_obj in self.rules: if rule_obj in self.rules:
LOG.debug("Skipping duplicate iptables rule addition") LOG.debug("Skipping duplicate iptables rule addition. "
"%(rule)r already in %(rules)r",
{'rule': rule_obj, 'rules': self.rules})
else: else:
self.rules.append(IptablesRule(chain, rule, wrap, top)) self.rules.append(IptablesRule(chain, rule, wrap, top))
self.dirty = True self.dirty = True

15
nova/virt/firewall.py
View File

@@ -180,9 +180,11 @@ class IptablesFirewallDriver(FirewallDriver):
ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info) ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
self.add_filters_for_instance(instance, network_info, ipv4_rules, self.add_filters_for_instance(instance, network_info, ipv4_rules,
ipv6_rules) ipv6_rules)
LOG.debug('Filters added to instance', instance=instance) LOG.debug('Filters added to instance: %s', instance['id'],
instance=instance)
self.refresh_provider_fw_rules() self.refresh_provider_fw_rules()
LOG.debug('Provider Firewall Rules refreshed', instance=instance) LOG.debug('Provider Firewall Rules refreshed: %s', instance['id'],
instance=instance)
# Ensure that DHCP request rule is updated if necessary # Ensure that DHCP request rule is updated if necessary
if (self.dhcp_create and not self.dhcp_created): if (self.dhcp_create and not self.dhcp_created):
self.iptables.ipv4['filter'].add_rule( self.iptables.ipv4['filter'].add_rule(
@@ -363,9 +365,6 @@ class IptablesFirewallDriver(FirewallDriver):
rules = rules_cls.get_by_security_group(ctxt, security_group) rules = rules_cls.get_by_security_group(ctxt, security_group)
for rule in rules: for rule in rules:
LOG.debug('Adding security group rule: %r', rule,
instance=instance)
if not rule['cidr']: if not rule['cidr']:
version = 4 version = 4
else: else:
@@ -393,7 +392,6 @@ class IptablesFirewallDriver(FirewallDriver):
elif protocol == 'icmp': elif protocol == 'icmp':
args += self._build_icmp_rule(rule, version) args += self._build_icmp_rule(rule, version)
if rule['cidr']: if rule['cidr']:
LOG.debug('Using cidr %r', rule['cidr'], instance=instance)
args += ['-s', str(rule['cidr'])] args += ['-s', str(rule['cidr'])]
fw_rules += [' '.join(args)] fw_rules += [' '.join(args)]
else: else:
@@ -417,11 +415,10 @@ class IptablesFirewallDriver(FirewallDriver):
subrule = args + ['-s %s' % ip] subrule = args + ['-s %s' % ip]
fw_rules += [' '.join(subrule)] fw_rules += [' '.join(subrule)]
LOG.debug('Using fw_rules: %r', fw_rules, instance=instance)
ipv4_rules += ['-j $sg-fallback'] ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback']
LOG.debug('Security Groups %s translated to ipv4: %r, ipv6: %r',
security_groups, ipv4_rules, ipv6_rules, instance=instance)
return ipv4_rules, ipv6_rules return ipv4_rules, ipv6_rules
def instance_filter_exists(self, instance, network_info): def instance_filter_exists(self, instance, network_info):