Bug 1787488 - [egressIP] The iptables related to stale egress ip was not removed.
Summary: [egressIP] The iptables related to stale egress ip was not removed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.4.0
Assignee: Dan Winship
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks: 1797042 1797043 1797044 1797045
TreeView+ depends on / blocked
 
Reported: 2020-01-03 05:26 UTC by huirwang
Modified: 2024-03-25 15:36 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A previous Egress IP bugfix did not fully clean up after removed Egress IPs. Consequence: Harmless extra iptables rules could be left behind on a node in some cases. Fix: The extra rules are now removed if they are no longer being used. Result: No extra rules
Clone Of:
: 1797042 1797043 1797044 1797045 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:22:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift sdn pull 88 0 None closed Bug 1787488: Clean up stale egress IP iptables rules on startup 2021-01-26 06:17:51 UTC
Red Hat Knowledge Base (Solution) 4902611 0 None None None 2020-03-13 12:28:13 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:22:46 UTC

Description huirwang 2020-01-03 05:26:08 UTC 
Description of problem:
The iptables related to stale egress ip was not removed.

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2020-01-02-214950

How reproducible:
Always

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1762235, in this bug only fix the issue that stale egress ip was not cleaned from interface, however, the iptable rule related to stale egress ip still existed. So open this new bug to track iptable rule part.

Steps to Reproduce:
1.Manually Patch egress IP to first hostsubnet, say A and patch egress IP to new projects;
NAME                                         HOST                                         HOST IP        SUBNET          EGRESS CIDRS   EGRESS IPS
ip-10-0-139-12.us-east-2.compute.internal    ip-10-0-139-12.us-east-2.compute.internal    10.0.139.12    10.129.0.0/23                  
ip-10-0-140-212.us-east-2.compute.internal   ip-10-0-140-212.us-east-2.compute.internal   10.0.140.212   10.131.0.0/23                  [10.0.139.200]
2. On the node with the egress IP, kill the sdn pod and prevent it from being restarted by following way.
   a. sysctl -w net.ipv4.ip_forward=0
   b. Delete sdn pod

3.Remove the egress IP from the old HostSubnet it's on, add it to a different HostSubnet.
ip-10-0-139-12.us-east-2.compute.internal    ip-10-0-139-12.us-east-2.compute.internal    10.0.139.12    10.129.0.0/23                  [10.0.139.200]
ip-10-0-140-212.us-east-2.compute.internal   ip-10-0-140-212.us-east-2.compute.internal   10.0.140.212   10.131.0.0/23                  

4. Let the old sdn pod start
   sysctl -w net.ipv4.ip_forward=1
5. Check interface, iptables on the old node

Actual results:
sh-4.4# ip ad | grep ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    inet 10.0.140.212/20 brd 10.0.143.255 scope global dynamic noprefixroute ens3

sh-4.4# iptables-save | grep 10.0.139.200
-A OPENSHIFT-MASQUERADE -s 10.128.0.0/14 -m mark --mark 0x1d5f3b4 -j SNAT --to-source 10.0.139.200
-A OPENSHIFT-FIREWALL-ALLOW -d 10.0.139.200/32 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable


Expected results:
The iptables rules related to staled egress ip should be removed.

Additional info:
Comment 9 errata-xmlrpc 2020-05-04 11:22:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581
Note You need to log in before you can comment on or make changes to this bug.