Bug 1787488

Summary: [egressIP] The iptables related to stale egress ip was not removed.
Product: OpenShift Container Platform Reporter: huirwang
Component: NetworkingAssignee: Dan Winship <danw>
Networking sub component: openshift-sdn QA Contact: huirwang
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: aconstan, aivaras.laimikis, ajohn, bbennett, bshirren, cdc, jnordell, openshift-bugs-escalate, rhowe, rsunog
Version: 4.3.0   
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: A previous Egress IP bugfix did not fully clean up after removed Egress IPs. Consequence: Harmless extra iptables rules could be left behind on a node in some cases. Fix: The extra rules are now removed if they are no longer being used. Result: No extra rules
Story Points: ---
Clone Of:
: 1797042 1797043 1797044 1797045 (view as bug list) Environment:
Last Closed: 2020-05-04 11:22:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1797042, 1797043, 1797044, 1797045    

Description huirwang 2020-01-03 05:26:08 UTC
Description of problem:
The iptables related to stale egress ip was not removed.

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2020-01-02-214950

How reproducible:
Always

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1762235, in this bug only fix the issue that stale egress ip was not cleaned from interface, however, the iptable rule related to stale egress ip still existed. So open this new bug to track iptable rule part.

Steps to Reproduce:
1.Manually Patch egress IP to first hostsubnet, say A and patch egress IP to new projects;
NAME                                         HOST                                         HOST IP        SUBNET          EGRESS CIDRS   EGRESS IPS
ip-10-0-139-12.us-east-2.compute.internal    ip-10-0-139-12.us-east-2.compute.internal    10.0.139.12    10.129.0.0/23                  
ip-10-0-140-212.us-east-2.compute.internal   ip-10-0-140-212.us-east-2.compute.internal   10.0.140.212   10.131.0.0/23                  [10.0.139.200]
2. On the node with the egress IP, kill the sdn pod and prevent it from being restarted by following way.
   a. sysctl -w net.ipv4.ip_forward=0
   b. Delete sdn pod

3.Remove the egress IP from the old HostSubnet it's on, add it to a different HostSubnet.
ip-10-0-139-12.us-east-2.compute.internal    ip-10-0-139-12.us-east-2.compute.internal    10.0.139.12    10.129.0.0/23                  [10.0.139.200]
ip-10-0-140-212.us-east-2.compute.internal   ip-10-0-140-212.us-east-2.compute.internal   10.0.140.212   10.131.0.0/23                  

4. Let the old sdn pod start
   sysctl -w net.ipv4.ip_forward=1
5. Check interface, iptables on the old node

Actual results:
sh-4.4# ip ad | grep ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    inet 10.0.140.212/20 brd 10.0.143.255 scope global dynamic noprefixroute ens3

sh-4.4# iptables-save | grep 10.0.139.200
-A OPENSHIFT-MASQUERADE -s 10.128.0.0/14 -m mark --mark 0x1d5f3b4 -j SNAT --to-source 10.0.139.200
-A OPENSHIFT-FIREWALL-ALLOW -d 10.0.139.200/32 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable


Expected results:
The iptables rules related to staled egress ip should be removed.

Additional info:

Comment 9 errata-xmlrpc 2020-05-04 11:22:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581