[Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Albert Damen 1898547 at bugs.launchpad.net
Wed Oct 21 17:43:48 UTC 2020 

I could reproduce the issue by building git v1.8.5 and the issue was
fixed after cherry-picking "iptables-nft: fix basechain policy
configuration"

$ git log
commit 8d985eb4eb7a23fd98b75d71179af40169144cc5 (HEAD -> bug1898547)
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Oct 2 13:44:36 2020 +0200

    iptables-nft: fix basechain policy configuration
    
    Previous to this patch, the basechain policy could not be properly
    configured if it wasn't explictly set when loading the ruleset, leading
    to iptables-nft-restore (and ip6tables-nft-restore) trying to send an
    invalid ruleset to the kernel.
    
    Signed-off-by: Arturo Borrero Gonzalez <arturo at netfilter.org>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 14ac250946289e280fb09ef978a45042871275b0 (tag: v1.8.5)
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Jun 3 11:37:52 2020 +0200

    configure: bump version for 1.8.5 release
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>


** Also affects: iptables (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1898547

Title:
  neutron-linuxbridge-agent fails to start with iptables 1.8.5

Status in iptables package in Ubuntu:
  New
Status in neutron package in Ubuntu:
  Invalid

Bug description:
  Ubuntu Groovy (20.10)
  kernel 5.8.0-20-generic
  neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1
  iptables: 1.8.5-3ubuntu1 (nf_tables)
  iptables-restore points to xtables-nft-multi

  After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron network node, neutron-linuxbridge-agent didn't properly start anymore.
  The log file shows many errors like:

  2020-10-05 10:20:37.998 551 ERROR
  neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr:
  iptables-restore: line 29 failed

  Downgrading iptables to 1.8.4 solves the problem.

  Trying to do what the linuxbridge agent does:
  2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent *filter
  2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0]

  shows that

  iptables-restore <<EOF
  *filter
  :INPUT - [0:0]
  COMMIT
  EOF

  works fine with iptables 1.8.4 but fails with 1.8.5

  
  Workaround

  It seems neutron-linuxbridge agent tries to create the default chains (like INPUT) with a "-" as policy. By making sure the chains already exist (and are shown with iptables-save) the agent doesn't try to create those default chains and the agent starts fine.
  So just running:
  sudo iptables -F OUTPUT
  sudo iptables -F OUTPUT -t raw
  sudo ip6tables -F OUTPUT
  sudo ip6tables -F OUTPUT -t raw

  is enough to get neutron-linuxbridge-agent working with iptables
  1.8.5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1898547/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list