[Yahoo-eng-team] [Bug 1359072] [NEW] Incorrect logic of _modify_rules() in IptablesManager

Wed, 20 Aug 2014 00:35:55 -0700 

Public bug reported:

The logic of _modify_rules() seems not correct. For instance, assuming
that we have a in-memory table like this:

:bn-chain001 - [0:0]
:chain002 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002

and iptables-save output like this:

# Generated by zhaoqin on mars
*zhaoqin
:bn-chain001 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002
COMMIT
# Completed on moon

The current code of _modify_rules() will generate the following result:

# Generated by zhaoqin on mars
:chain002 - [0:0]
:bn-chain001 - [0:0]
[0:0] -A bn-chain001 rule001
[0:0] -A chain002 rule002
*zhaoqin
COMMIT
# Completed on moon

The root cause is that rule '[0:0] -A chain002 rule002' is in new_filter
list is removed, so that the current code will do 'rules_index -= 1'.
That is an incorrect action. The correct action is to do 'rules_index -=
1', if one chain entry in new_filter list is removed, because the chain
list is above the rule list.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1359072

Title:
  Incorrect logic of _modify_rules() in IptablesManager

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  The logic of _modify_rules() seems not correct. For instance, assuming
  that we have a in-memory table like this:

  :bn-chain001 - [0:0]
  :chain002 - [0:0]
  [0:0] -A bn-chain001 rule001
  [0:0] -A chain002 rule002

  and iptables-save output like this:

  # Generated by zhaoqin on mars
  *zhaoqin
  :bn-chain001 - [0:0]
  [0:0] -A bn-chain001 rule001
  [0:0] -A chain002 rule002
  COMMIT
  # Completed on moon

  The current code of _modify_rules() will generate the following
  result:

  # Generated by zhaoqin on mars
  :chain002 - [0:0]
  :bn-chain001 - [0:0]
  [0:0] -A bn-chain001 rule001
  [0:0] -A chain002 rule002
  *zhaoqin
  COMMIT
  # Completed on moon

  The root cause is that rule '[0:0] -A chain002 rule002' is in
  new_filter list is removed, so that the current code will do
  'rules_index -= 1'. That is an incorrect action. The correct action is
  to do 'rules_index -= 1', if one chain entry in new_filter list is
  removed, because the chain list is above the rule list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1359072/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to