Bug 1273380

Summary: [networking_91]Start firewalld will flush the iptable rules
Product: OKD Reporter: Yan Du <yadu>
Component: NetworkingAssignee: Dan Winship <danw>
Status: CLOSED CURRENTRELEASE QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, eparis, erich, kzhang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 17:11:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yan Du 2015-10-20 10:37:31 UTC 
Description of problem:
Create some pod/services, then try to start firewalld, the rules in iptable will flush.

Version-Release number of selected component (if applicable):

oc v1.0.6-701-g9b8d973
kubernetes v1.1.0-alpha.1-653-g86b4e77

docker version
Client version: 1.7.1
Client API version: 1.19
Package Version (client): docker-1.7.1-115.el7.x86_64
Go version (client): go1.4.2
Git commit (client): 446ad9b/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Package Version (server): docker-1.7.1-115.el7.x86_64
Go version (server): go1.4.2
Git commit (server): 446ad9b/1.7.1
OS/Arch (server): linux/amd64

rpm -qa | grep firewall
firewalld-0.3.9-11.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. Create some pods/services
2. Check the iptable rules
# iptables -t nat -nL
3. Start firewalld
# systemctl start firewalld
4. Check the iptables rules again


Actual results:
step2:

Chain KUBE-PORTALS-CONTAINER (1 references)
target     prot opt source               destination         
REDIRECT   tcp  --  0.0.0.0/0            172.30.141.242       /* test1/bluegreen-example-old:8080-tcp */ tcp dpt:8080 redir ports 38972
REDIRECT   tcp  --  0.0.0.0/0            172.30.154.216       /* test1/bluegreen-example-new:8080-tcp */ tcp dpt:8080 redir ports 44774
REDIRECT   tcp  --  0.0.0.0/0            172.30.118.71        /* test2/recreate-example: */ tcp dpt:8080 redir ports 42763
REDIRECT   tcp  --  0.0.0.0/0            172.30.0.1           /* default/kubernetes:https */ tcp dpt:443 redir ports 43702

Chain KUBE-PORTALS-HOST (1 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            172.30.141.242       /* test1/bluegreen-example-old:8080-tcp */ tcp dpt:8080 to:172.18.15.236:38972
DNAT       tcp  --  0.0.0.0/0            172.30.154.216       /* test1/bluegreen-example-new:8080-tcp */ tcp dpt:8080 to:172.18.15.236:44774
DNAT       tcp  --  0.0.0.0/0            172.30.118.71        /* test2/recreate-example: */ tcp dpt:8080 to:172.18.15.236:42763
DNAT       tcp  --  0.0.0.0/0            172.30.0.1           /* default/kubernetes:https */ tcp dpt:443 to:172.18.15.236:43702


step4:
[root@ip-172-18-15-236 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination         
POST_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination         

Chain POST_public (1 references)
target     prot opt source               destination         
POST_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
target     prot opt source               destination         

Chain POST_public_deny (1 references)
target     prot opt source               destination         

Chain POST_public_log (1 references)
target     prot opt source               destination         

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination         
PRE_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain PREROUTING_direct (1 references)
target     prot opt source               destination         

Chain PRE_public (1 references)
target     prot opt source               destination         
PRE_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
target     prot opt source               destination         

Chain PRE_public_deny (1 references)
target     prot opt source               destination         

Chain PRE_public_log (1 references)
target     prot opt source               destination         


Expected results:
iptables rules won't be flushed

Additional info:
Issue could not be reproduced for latest kubenete env
Comment 1 Dan Winship 2015-10-22 19:50:36 UTC 
> Issue could not be reproduced for latest kubenete env

meaning what exactly?

As of the last kubernetes rebase in origin, this should not be a problem any more.
Comment 2 Yan Du 2015-10-23 06:58:59 UTC 
Hi, Dan Winship

Actually I tested after this rebase PR have been merged https://github.com/openshift/origin/pull/5143 , and all the code related to https://github.com/kubernetes/kubernetes/pull/12396 was already in the origin test env, but seems the iptables rules still flushed after start firewalld.
Comment 4 Dan Winship 2015-12-09 20:11:31 UTC 
With latest origin starting firewalld should not flush firewall rules. (Or rather, it will still flush them, but OpenShift will recreate them immediately after.)
Comment 5 Yan Du 2015-12-10 07:32:32 UTC 
Test on latest origin code (devenv_rhel7_2913)

The rules flushed when starting firewalld, and then rules could be recreated immediately.

Move bug to verified. Thanks.