Description of problem:
The iptables related to stale egress ip was not removed.
Version-Release number of selected component (if applicable):
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1762235, in this bug only fix the issue that stale egress ip was not cleaned from interface, however, the iptable rule related to stale egress ip still existed. So open this new bug to track iptable rule part.
Steps to Reproduce:
1.Manually Patch egress IP to first hostsubnet, say A and patch egress IP to new projects;
NAME HOST HOST IP SUBNET EGRESS CIDRS EGRESS IPS
ip-10-0-139-12.us-east-2.compute.internal ip-10-0-139-12.us-east-2.compute.internal 10.0.139.12 10.129.0.0/23
ip-10-0-140-212.us-east-2.compute.internal ip-10-0-140-212.us-east-2.compute.internal 10.0.140.212 10.131.0.0/23 [10.0.139.200]
2. On the node with the egress IP, kill the sdn pod and prevent it from being restarted by following way.
a. sysctl -w net.ipv4.ip_forward=0
b. Delete sdn pod
3.Remove the egress IP from the old HostSubnet it's on, add it to a different HostSubnet.
ip-10-0-139-12.us-east-2.compute.internal ip-10-0-139-12.us-east-2.compute.internal 10.0.139.12 10.129.0.0/23 [10.0.139.200]
ip-10-0-140-212.us-east-2.compute.internal ip-10-0-140-212.us-east-2.compute.internal 10.0.140.212 10.131.0.0/23
4. Let the old sdn pod start
sysctl -w net.ipv4.ip_forward=1
5. Check interface, iptables on the old node
sh-4.4# ip ad | grep ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
inet 10.0.140.212/20 brd 10.0.143.255 scope global dynamic noprefixroute ens3
sh-4.4# iptables-save | grep 10.0.139.200
-A OPENSHIFT-MASQUERADE -s 10.128.0.0/14 -m mark --mark 0x1d5f3b4 -j SNAT --to-source 10.0.139.200
-A OPENSHIFT-FIREWALL-ALLOW -d 10.0.139.200/32 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
The iptables rules related to staled egress ip should be removed.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.