Bug 1273380 - [networking_91]Start firewalld will flush the iptable rules
[networking_91]Start firewalld will flush the iptable rules
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Networking (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Dan Winship
Meng Bo
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 06:37 EDT by Yan Du
Modified: 2016-05-12 13:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:11:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yan Du 2015-10-20 06:37:31 EDT
Description of problem:
Create some pod/services, then try to start firewalld, the rules in iptable will flush.

Version-Release number of selected component (if applicable):

oc v1.0.6-701-g9b8d973
kubernetes v1.1.0-alpha.1-653-g86b4e77

docker version
Client version: 1.7.1
Client API version: 1.19
Package Version (client): docker-1.7.1-115.el7.x86_64
Go version (client): go1.4.2
Git commit (client): 446ad9b/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Package Version (server): docker-1.7.1-115.el7.x86_64
Go version (server): go1.4.2
Git commit (server): 446ad9b/1.7.1
OS/Arch (server): linux/amd64

rpm -qa | grep firewall
firewalld-0.3.9-11.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. Create some pods/services
2. Check the iptable rules
# iptables -t nat -nL
3. Start firewalld
# systemctl start firewalld
4. Check the iptables rules again


Actual results:
step2:

Chain KUBE-PORTALS-CONTAINER (1 references)
target     prot opt source               destination         
REDIRECT   tcp  --  0.0.0.0/0            172.30.141.242       /* test1/bluegreen-example-old:8080-tcp */ tcp dpt:8080 redir ports 38972
REDIRECT   tcp  --  0.0.0.0/0            172.30.154.216       /* test1/bluegreen-example-new:8080-tcp */ tcp dpt:8080 redir ports 44774
REDIRECT   tcp  --  0.0.0.0/0            172.30.118.71        /* test2/recreate-example: */ tcp dpt:8080 redir ports 42763
REDIRECT   tcp  --  0.0.0.0/0            172.30.0.1           /* default/kubernetes:https */ tcp dpt:443 redir ports 43702

Chain KUBE-PORTALS-HOST (1 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            172.30.141.242       /* test1/bluegreen-example-old:8080-tcp */ tcp dpt:8080 to:172.18.15.236:38972
DNAT       tcp  --  0.0.0.0/0            172.30.154.216       /* test1/bluegreen-example-new:8080-tcp */ tcp dpt:8080 to:172.18.15.236:44774
DNAT       tcp  --  0.0.0.0/0            172.30.118.71        /* test2/recreate-example: */ tcp dpt:8080 to:172.18.15.236:42763
DNAT       tcp  --  0.0.0.0/0            172.30.0.1           /* default/kubernetes:https */ tcp dpt:443 to:172.18.15.236:43702


step4:
[root@ip-172-18-15-236 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination         
POST_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination         

Chain POST_public (1 references)
target     prot opt source               destination         
POST_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
target     prot opt source               destination         

Chain POST_public_deny (1 references)
target     prot opt source               destination         

Chain POST_public_log (1 references)
target     prot opt source               destination         

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination         
PRE_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain PREROUTING_direct (1 references)
target     prot opt source               destination         

Chain PRE_public (1 references)
target     prot opt source               destination         
PRE_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
target     prot opt source               destination         

Chain PRE_public_deny (1 references)
target     prot opt source               destination         

Chain PRE_public_log (1 references)
target     prot opt source               destination         


Expected results:
iptables rules won't be flushed

Additional info:
Issue could not be reproduced for latest kubenete env
Comment 1 Dan Winship 2015-10-22 15:50:36 EDT
> Issue could not be reproduced for latest kubenete env

meaning what exactly?

As of the last kubernetes rebase in origin, this should not be a problem any more.
Comment 2 Yan Du 2015-10-23 02:58:59 EDT
Hi, Dan Winship

Actually I tested after this rebase PR have been merged https://github.com/openshift/origin/pull/5143 , and all the code related to https://github.com/kubernetes/kubernetes/pull/12396 was already in the origin test env, but seems the iptables rules still flushed after start firewalld.
Comment 4 Dan Winship 2015-12-09 15:11:31 EST
With latest origin starting firewalld should not flush firewall rules. (Or rather, it will still flush them, but OpenShift will recreate them immediately after.)
Comment 5 Yan Du 2015-12-10 02:32:32 EST
Test on latest origin code (devenv_rhel7_2913)

The rules flushed when starting firewalld, and then rules could be recreated immediately.

Move bug to verified. Thanks.

Note You need to log in before you can comment on or make changes to this bug.