[Touch-packages] [Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Launchpad Bug Tracker Mon, 02 Nov 2020 03:21:27 -0800

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: iptables (Ubuntu)
       Status: New => Confirmed


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1898547

Title:
  neutron-linuxbridge-agent fails to start with iptables 1.8.5

Status in iptables package in Ubuntu:
  Confirmed
Status in neutron package in Ubuntu:
  Invalid

Bug description:
  Ubuntu Groovy (20.10)
  kernel 5.8.0-20-generic
  neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1
  iptables: 1.8.5-3ubuntu1 (nf_tables)
  iptables-restore points to xtables-nft-multi

  After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron 
network node, neutron-linuxbridge-agent didn't properly start anymore.
  The log file shows many errors like:

  2020-10-05 10:20:37.998 551 ERROR
  neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr:
  iptables-restore: line 29 failed

  Downgrading iptables to 1.8.4 solves the problem.

  Trying to do what the linuxbridge agent does:
  2020-10-05 10:20:37.998 551 ERROR 
neutron.plugins.ml2.drivers.agent._common_agent *filter
  2020-10-05 10:20:37.998 551 ERROR 
neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0]

  shows that

  iptables-restore <<EOF
  *filter
  :INPUT - [0:0]
  COMMIT
  EOF

  works fine with iptables 1.8.4 but fails with 1.8.5

  
  Workaround

  It seems neutron-linuxbridge agent tries to create the default chains (like 
INPUT) with a "-" as policy. By making sure the chains already exist (and are 
shown with iptables-save) the agent doesn't try to create those default chains 
and the agent starts fine.
  So just running:
  sudo iptables -F OUTPUT
  sudo iptables -F OUTPUT -t raw
  sudo ip6tables -F OUTPUT
  sudo ip6tables -F OUTPUT -t raw

  is enough to get neutron-linuxbridge-agent working with iptables
  1.8.5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1898547/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Reply via email to