neutron删除vpn时,iptables规则没有删除的bug修复
来源:互联网 发布:灵云网络机顶合s3刷机 编辑:程序博客网 时间:2024/05/16 05:07
本人新开博客,主要从事openstack的二次开发,熟悉各个模块。博客主要会写一些平时遇到的问题及解决办法,希望能够帮到初涉云计算尤其是openstack的朋友,如果需要转载请注明出处:http://blog.csdn.net/ivy_feifei,有什么问题欢迎留言讨论,如博文有误,欢迎指出,谢谢!
bug描述:当删除vpn时,对应的iptables规则没有删除:
1
2
3
Chain neutron-vpn-agen-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 2 168 ACCEPT all -- * * 10.10.10.0/24 9.9.9.0/24 policy match dir out pol ipsec 查看日志:
1
2
2014-12-01 15:36:30.732 36570 WARNING neutron.agent.linux.iptables_manager [req-3ff1e7a5-e7b5-4338-85f9-2d5466b6ccba None] Tried to remove rule that was not there: 'POSTROUTING' u'-s 10.10.10.0/24 -d 9.9.9.0/24 -m policy --dir out --pol ipsec -j ACCEPT ' True False貌似规则没有正确匹配。
查看代码:
1 这里主要是删除router里的iptables规则
1
2
3
4
5
6
7
8
9
10
11
12
13
def destroy_router(self, process_id): """Handling destroy_router event. Agent calls this method, when the process namespace is deleted. """ if process_id in self.processes: process = self.processes[process_id] process.disable() vpnservice = process.vpnservice if vpnservice: self._update_nat(vpnservice, self.agent.remove_nat_rule) del self.processes[process_id]2 更新iptables nat表,apply函数主要是锁定iptables,并且使改动生效。如果func函数抛出异常,则不会执行。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
def _update_nat(self, vpnservice, func): """Setting up nat rule in iptables. We need to setup nat rule for ipsec packet. :param vpnservice: vpnservices :param func: self.add_nat_rule or self.remove_nat_rule """ local_cidr = vpnservice['subnet']['cidr'] router_id = vpnservice['router_id'] for ipsec_site_connection in vpnservice['ipsec_site_connections']: for peer_cidr in ipsec_site_connection['peer_cidrs']: func( router_id, 'POSTROUTING', '-s %s -d %s -m policy ' '--dir out --pol ipsec ' '-j ACCEPT ' % (local_cidr, peer_cidr), top=True) self.agent.iptables_apply(router_id)3 上面的func就是
self.agent.remove_nat_rule,这里使用iptables管理模块删除规则1
2
3
4
5
6
7
8
9
10
11
12
13
14
def remove_nat_rule(self, router_id, chain, rule, top=False): """Remove nat rule in namespace. :param router_id: router_id :param chain: a string of chain name :param rule: a string of rule :param top: unused needed to have same argument with add_nat_rule """ router_info = self.router_info.get(router_id) if not router_info: return router_info.iptables_manager.ipv4['nat'].remove_rule( chain, rule)4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
def remove_rule(self, chain, rule, wrap=True, top=False): """Remove a rule from a chain. Note: The rule must be exactly identical to the one that was added. You cannot switch arguments around like you can with the iptables CLI tool. """ chain = get_chain_name(chain, wrap) try: if '$' in rule: rule = ' '.join( self._wrap_target_chain(e, wrap) for e in rule.split(' ')) self.rules.remove(IptablesRule(chain, rule, wrap, top, self.wrap_name)) if not wrap: self.remove_rules.append(IptablesRule(chain, rule, wrap, top, self.wrap_name)) except ValueError: LOG.warn(_('Tried to remove rule that was not there:' ' %(chain)r %(rule)r %(wrap)r %(top)r'), {'chain': chain, 'rule': rule, 'top': top, 'wrap': wrap})5 这里主要是在POSTROUTING链里轮询做匹配,如果规则的参数完全匹配上,就返回True,否则是False,如果是False就抛出上面的异常,且删除规则失败。上面提到的apply函数不会执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
class IptablesRule(object): """An iptables rule. You shouldn't need to use this class directly, it's only used by IptablesManager. """ def __init__(self, chain, rule, wrap=True, top=False, binary_name=binary_name, tag=None): self.chain = get_chain_name(chain, wrap) self.rule = rule self.wrap = wrap self.top = top self.wrap_name = binary_name[:16] self.tag = tag def __eq__(self, other): return ((self.chain == other.chain) and (self.rule == other.rule) and (self.top == other.top) and (self.wrap == other.wrap))比对结果:
6. 这里在作比对时top不同,所以没有匹配上,经过查找代码发现:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def add_nat_rule(self, router_id, chain, rule, top=False): """Add nat rule in namespace. :param router_id: router_id :param chain: a string of chain name :param rule: a string of rule :param top: if top is true, the rule will be placed on the top of chain Note if there is no rotuer, this method do nothing """ router_info = self.router_info.get(router_id) if not router_info: return router_info.iptables_manager.ipv4['nat'].add_rule( chain, rule, top=top)在添加时top是传入True的,而前面第2步时,也传入了True,但是在往下传时就没有传top了,所使用了默认值false,所以这里只要继续传入top就可以了。
改动如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
def remove_nat_rule(self, router_id, chain, rule, top=False): """Remove nat rule in namespace. :param router_id: router_id :param chain: a string of chain name :param rule: a string of rule :param top: unused needed to have same argument with add_nat_rule """ router_info = self.router_info.get(router_id) if not router_info: return router_info.iptables_manager.ipv4['nat'].remove_rule( chain, rule,top=top)问题解决
0 0
- neutron删除vpn时,iptables规则没有删除的bug修复
- neutron lb 删除vip时的bug修复
- iptables 规则的删除
- iptables 文件 规则的删除
- iptables规则的添加删除
- iptables添加删除规则
- linux删除iptables规则
- iptables规则的删除-怎么删除一条已有的iptables规则
- iptables如何删除一条规则
- iptables删除已有的iptables规则-yellowcong
- iptables规则的查看、添加、插入、删除和修改以及删除已有的规则
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- iptables规则的查看、添加、删除和修改
- mysql使用小整理
- 生产者消费者问题
- 性能测试监控介绍及其数据分析
- IOS开发---OC语言-⑫点和圆的综合练习
- DLL 的导入与导出
- neutron删除vpn时,iptables规则没有删除的bug修复
- 理解HTTP session原理及应用
- 91熊猫看书电脑版 v0.8.0|官方安装版下载
- [系统级] 获取CPU使用率
- 数据库读写分离(oracle)
- 【jsp】<jsp:param/>与<jsp:include/>的配合使用
- iOS UIButton的titleLabel和imageView的位置调整
- JAVA & CORBA & JNI & C++中文问题
- Mac OS X 下修改文件属性:创建时间、修改时间
