Description of problem: The iptables related to stale egress ip was not removed. Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2020-01-02-214950 How reproducible: Always Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1762235, in this bug only fix the issue that stale egress ip was not cleaned from interface, however, the iptable rule related to stale egress ip still existed. So open this new bug to track iptable rule part. Steps to Reproduce: 1.Manually Patch egress IP to first hostsubnet, say A and patch egress IP to new projects; NAME HOST HOST IP SUBNET EGRESS CIDRS EGRESS IPS ip-10-0-139-12.us-east-2.compute.internal ip-10-0-139-12.us-east-2.compute.internal 10.0.139.12 10.129.0.0/23 ip-10-0-140-212.us-east-2.compute.internal ip-10-0-140-212.us-east-2.compute.internal 10.0.140.212 10.131.0.0/23 [10.0.139.200] 2. On the node with the egress IP, kill the sdn pod and prevent it from being restarted by following way. a. sysctl -w net.ipv4.ip_forward=0 b. Delete sdn pod 3.Remove the egress IP from the old HostSubnet it's on, add it to a different HostSubnet. ip-10-0-139-12.us-east-2.compute.internal ip-10-0-139-12.us-east-2.compute.internal 10.0.139.12 10.129.0.0/23 [10.0.139.200] ip-10-0-140-212.us-east-2.compute.internal ip-10-0-140-212.us-east-2.compute.internal 10.0.140.212 10.131.0.0/23 4. Let the old sdn pod start sysctl -w net.ipv4.ip_forward=1 5. Check interface, iptables on the old node Actual results: sh-4.4# ip ad | grep ens3 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 inet 10.0.140.212/20 brd 10.0.143.255 scope global dynamic noprefixroute ens3 sh-4.4# iptables-save | grep 10.0.139.200 -A OPENSHIFT-MASQUERADE -s 10.128.0.0/14 -m mark --mark 0x1d5f3b4 -j SNAT --to-source 10.0.139.200 -A OPENSHIFT-FIREWALL-ALLOW -d 10.0.139.200/32 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable Expected results: The iptables rules related to staled egress ip should be removed. Additional info:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581