Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1489407

Summary: l3-agent.log flooded with 'Duplicate iptables rule detected.' by iptables_manager
Product: Red Hat OpenStack Reporter: Irina Petrova <ipetrova>
Component: openstack-neutronAssignee: Daniel Alvarez Sanchez <dalvarez>
Status: CLOSED ERRATA QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: amuller, chrisw, dalvarez, ipetrova, mzheng, nyechiel, pablo.iranzo, srevivo
Target Milestone: z6Keywords: TestOnly, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-9.4.1-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-15 13:53:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Irina Petrova 2017-09-07 11:53:57 UTC 
Description of problem:

[...@collab-shell neutron]$ awk -F'WARNING' '{print $2}' l3-agent.log | sort -u

 neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
 neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
 neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff
 neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697

[...@collab-shell neutron]$ head -n1 l3-agent.log 
9-06 09:29:46.057 4050 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT

[...@collab-shell neutron]$ tail -n1 l3-agent.log 
2017-09-06 09:29:51.105 4050 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT

[...@collab-shell neutron]$ wc -l l3-agent.log 
38792 l3-agent.log


Version-Release number of selected component (if applicable):
RHOS-10

$ grep neutron ../../../installed-rpms 
openstack-neutron-9.2.0-2.el7ost.noarch                     Thu Apr 20 12:28:32 2017  <<<<<<<<<<<<<<<<<<
openstack-neutron-bigswitch-agent-9.40.0-1.1.el7ost.noarch  Mon Dec 12 18:01:15 2016
openstack-neutron-bigswitch-lldp-9.40.0-1.1.el7ost.noarch   Mon Dec 12 18:00:37 2016
openstack-neutron-common-9.2.0-2.el7ost.noarch              Thu Apr 20 12:28:31 2017
openstack-neutron-lbaas-9.1.0-4.el7ost.noarch               Thu Apr 20 12:28:55 2017
openstack-neutron-metering-agent-9.2.0-2.el7ost.noarch      Thu Apr 20 12:28:55 2017
openstack-neutron-ml2-9.2.0-2.el7ost.noarch                 Thu Apr 20 12:28:32 2017
openstack-neutron-openvswitch-9.2.0-2.el7ost.noarch         Thu Apr 20 12:28:55 2017
openstack-neutron-sriov-nic-agent-9.2.0-2.el7ost.noarch     Thu Apr 20 12:28:55 2017
puppet-neutron-9.5.0-1.el7ost.noarch                        Thu Apr 20 12:28:57 2017
python-neutron-9.2.0-2.el7ost.noarch                        Thu Apr 20 12:28:31 2017
python-neutron-lbaas-9.1.0-4.el7ost.noarch                  Thu Apr 20 12:28:32 2017
python-neutron-lib-0.4.0-1.el7ost.noarch                    Mon Dec 12 18:00:05 2016
python-neutron-tests-9.2.0-2.el7ost.noarch                  Thu Apr 20 12:28:57 2017
python-neutronclient-6.0.0-2.el7ost.noarch                  Mon Dec 12 17:59:56 2016
Comment 2 Assaf Muller 2017-09-11 13:20:09 UTC 
Assigned to Daniel for RCA.
Comment 3 Daniel Alvarez Sanchez 2017-09-11 16:05:02 UTC 
Hi,

May I have some details about the environment? The sosreport is not available in the collab-shell anymore. Was that an HA router?
There was a bug [0] where metadata rules were tried to be applied again on standby nodes when updating an HA router and the fix was merged [1] and it's present on OSP10 as of openstack-neutron-9.4.1*.

As the version in this bug is earlier, would it be possible to upgrade to latest OSP10 and check if the duplicate rules are still seen in the logs?

Thanks,
Daniel

[0] https://bugs.launchpad.net/neutron/+bug/1658460
[1] https://review.openstack.org/#/c/423804/
Comment 7 Daniel Alvarez Sanchez 2017-09-19 07:33:32 UTC 
Hi Irina, thanks a lot.
I'd say that openstack-neutron-9.4.1-1.el7ost will fix it.
Should you need some assistance on my side, please let me know.

Daniel
Comment 8 Lon Hohberger 2017-10-10 18:09:45 UTC 
According to our records, this should be resolved by openstack-neutron-9.4.1-1.el7ost.  This build is available now.
Comment 11 errata-xmlrpc 2017-11-15 13:53:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3234