Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-6864

iptables rules can not be restored after removing source and adding it back

    XMLWordPrintable

Details

    • +
    • uShift Sprint 232
    • 1
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Iptables rules can not be restored after --remove-source=10.42.0.0/16
and  --add-source=10.42.0.0/16, but rebooting node will bring rules back

      Version-Release number of selected component (if applicable):

      4.12.0~rc.3

      How reproducible:

      Always

      Steps to Reproduce:

      [redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --list-all --zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.42.0.0/16 169.254.169.1
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[redhat@dhcp-1-235-112 ~]$ sudo  firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: br-ex ens3 ens4
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 6443/tcp 80/tcp 443/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[redhat@dhcp-1-235-112 ~]$ sudo iptables-save | grep 10.42.0      
-A POSTROUTING -s 10.42.0.0/24 -j MASQUERADE
-A OVN-KUBE-SNAT-MGMTPORT -o ovn-k8s-mp0 -m comment --comment "OVN SNAT to Management Port" -j SNAT --to-source 10.42.0.2
-A KUBE-HP-6JOGQSSX6QBWRFLM -s 10.42.0.5/32 -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 80" -j KUBE-MARK-MASQ
-A KUBE-HP-6JOGQSSX6QBWRFLM -p tcp -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 80" -m tcp -j DNAT --to-destination 10.42.0.5:80
-A KUBE-HP-I63JFCWP5QWKF3H6 -s 10.42.0.5/32 -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 443" -j KUBE-MARK-MASQ
-A KUBE-HP-I63JFCWP5QWKF3H6 -p tcp -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 443" -m tcp -j DNAT --to-destination 10.42.0.5:443
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --permanent --zone=trusted --remove-source=10.42.0.0/16 
success
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --reload
success
[redhat@dhcp-1-235-112 ~]$ 
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --list-all --zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 169.254.169.1
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[redhat@dhcp-1-235-112 ~]$ sudo iptables-save | grep 10.42.0      
-A OVN-KUBE-SNAT-MGMTPORT -o ovn-k8s-mp0 -m comment --comment "OVN SNAT to Management Port" -j SNAT --to-source 10.42.0.2
[redhat@dhcp-1-235-112 ~]$ 
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 
success
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --reload
success
[redhat@dhcp-1-235-112 ~]$ sudo firewall-cmd --list-all --zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 169.254.169.1 10.42.0.0/16
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[redhat@dhcp-1-235-112 ~]$ sudo iptables-save | grep 10.42.0   
-A OVN-KUBE-SNAT-MGMTPORT -o ovn-k8s-mp0 -m comment --comment "OVN SNAT to Management Port" -j SNAT --to-source 10.42.0.2
[redhat@dhcp-1-235-112 ~]$ sudo iptables-save | grep 10.42.0   
-A OVN-KUBE-SNAT-MGMTPORT -o ovn-k8s-mp0 -m comment --comment "OVN SNAT to Management Port" -j SNAT --to-source 10.42.0.2
[redhat@dhcp-1-235-112 ~]$ 
[microshift@openshift-qe-046 ~]$ ssh -i ~/.ssh/openshift-qe.pem redhat@10.1.235.112
Warning: Permanently added '10.1.235.112' (ECDSA) to the list of known hosts.
Script '01_update_platforms_check.sh' FAILURE (exit code '1'). Continuing...
Boot Status is GREEN - Health Check SUCCESS
Last login: Mon Dec 12 15:06:39 2022 from 10.1.235.49
[redhat@dhcp-1-235-112 ~]$ sudo iptables-save | grep 10.42.0   
-A POSTROUTING -s 10.42.0.0/24 -j MASQUERADE
-A OVN-KUBE-SNAT-MGMTPORT -o ovn-k8s-mp0 -m comment --comment "OVN SNAT to Management Port" -j SNAT --to-source 10.42.0.2
-A KUBE-HP-ALDA4SDX2JXFE5I3 -s 10.42.0.5/32 -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 80" -j KUBE-MARK-MASQ
-A KUBE-HP-ALDA4SDX2JXFE5I3 -p tcp -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 80" -m tcp -j DNAT --to-destination 10.42.0.5:80
-A KUBE-HP-Q4SI67VE7D6UC5JZ -s 10.42.0.5/32 -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 443" -j KUBE-MARK-MASQ
-A KUBE-HP-Q4SI67VE7D6UC5JZ -p tcp -m comment --comment "k8s_router-default-ddc545d88-mmzrl_openshift-ingress_af44fdc8-925c-40d8-be0d-a5eaa9d58ad3_0_ hostport 443" -m tcp -j DNAT --to-destination 10.42.0.5:443
[redhat@dhcp-1-235-112 ~]$ 

      Actual results:

       

      Expected results:

       

      Additional info:

       

       

      Attachments

        Activity

          People

            zshi@redhat.com Zenghui Shi
            weliang1@redhat.com Weibin Liang
            Weibin Liang Weibin Liang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: