Bug 1653384 - [3.7] firewalld reload causes namespace wide egress IP to stop working
Summary: [3.7] firewalld reload causes namespace wide egress IP to stop working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.7.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.7.z
Assignee: Dan Winship
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-26 17:02 UTC by Dan Winship
Modified: 2019-08-07 15:02 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Egress IP-related iptables rules were not recreated if they got deleted. Consequence: If a user restarted firewalld or iptables.service on a node that hosted egress IPs, then those egress IPs would stop working. (Traffic that should have used the egress IP would use the node's normal IP instead.) Fix: Egress IP iptables rules are now recreated if they are removed. Result: Egress IPs work reliably.
Clone Of: 1643304
Environment:
Last Closed: 2019-08-07 15:02:36 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ose pull 1476 0 None None None 2018-11-26 17:13:07 UTC

Comment 1 Dan Winship 2018-11-26 17:13:07 UTC 
https://github.com/openshift/ose/pull/1476
Comment 2 Weibin Liang 2018-12-11 14:41:04 UTC 
Tested and passed in v3.7.76

[root@host-172-16-122-9 ~]# iptables -t nat -L | grep 161
SNAT       all  --  10.128.0.0/14        anywhere             mark match 0x73cf7e to:172.16.122.161
[root@host-172-16-122-9 ~]# firewall-cmd --reload
success
[root@host-172-16-122-9 ~]# iptables -t nat -L | grep 161
SNAT       all  --  10.128.0.0/14        anywhere             mark match 0x73cf7e to:172.16.122.161
[root@host-172-16-122-9 ~]#
Note You need to log in before you can comment on or make changes to this bug.