change the firewall debugging for clarity
When we are building rules ensure we log the instance['id'] so we can actually correlate the iptables output to UUID for the instance. Also bundle up the security group to iptables translation to a final view of the world instead of the piecemeal rule at a time view. Display what rules are being skipped in the add process, as the skips seem to happen a lot. If this is completely normal we should probably delete the bit entirely at some later point. Related-Bug: #1298472 Change-Id: I0e90c3af9bf908b733ed895ad7c204b0a95ef786
This commit is contained in:
parent
399166bbef
commit
d7ce7cccbc
|
@ -267,7 +267,9 @@ class IptablesTable(object):
|
|||
|
||||
rule_obj = IptablesRule(chain, rule, wrap, top)
|
||||
if rule_obj in self.rules:
|
||||
LOG.debug("Skipping duplicate iptables rule addition")
|
||||
LOG.debug("Skipping duplicate iptables rule addition. "
|
||||
"%(rule)r already in %(rules)r",
|
||||
{'rule': rule_obj, 'rules': self.rules})
|
||||
else:
|
||||
self.rules.append(IptablesRule(chain, rule, wrap, top))
|
||||
self.dirty = True
|
||||
|
|
|
@ -180,9 +180,11 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||
ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
|
||||
self.add_filters_for_instance(instance, network_info, ipv4_rules,
|
||||
ipv6_rules)
|
||||
LOG.debug('Filters added to instance', instance=instance)
|
||||
LOG.debug('Filters added to instance: %s', instance['id'],
|
||||
instance=instance)
|
||||
self.refresh_provider_fw_rules()
|
||||
LOG.debug('Provider Firewall Rules refreshed', instance=instance)
|
||||
LOG.debug('Provider Firewall Rules refreshed: %s', instance['id'],
|
||||
instance=instance)
|
||||
# Ensure that DHCP request rule is updated if necessary
|
||||
if (self.dhcp_create and not self.dhcp_created):
|
||||
self.iptables.ipv4['filter'].add_rule(
|
||||
|
@ -363,9 +365,6 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||
rules = rules_cls.get_by_security_group(ctxt, security_group)
|
||||
|
||||
for rule in rules:
|
||||
LOG.debug('Adding security group rule: %r', rule,
|
||||
instance=instance)
|
||||
|
||||
if not rule['cidr']:
|
||||
version = 4
|
||||
else:
|
||||
|
@ -393,7 +392,6 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||
elif protocol == 'icmp':
|
||||
args += self._build_icmp_rule(rule, version)
|
||||
if rule['cidr']:
|
||||
LOG.debug('Using cidr %r', rule['cidr'], instance=instance)
|
||||
args += ['-s', str(rule['cidr'])]
|
||||
fw_rules += [' '.join(args)]
|
||||
else:
|
||||
|
@ -417,11 +415,10 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||
subrule = args + ['-s %s' % ip]
|
||||
fw_rules += [' '.join(subrule)]
|
||||
|
||||
LOG.debug('Using fw_rules: %r', fw_rules, instance=instance)
|
||||
|
||||
ipv4_rules += ['-j $sg-fallback']
|
||||
ipv6_rules += ['-j $sg-fallback']
|
||||
|
||||
LOG.debug('Security Groups %s translated to ipv4: %r, ipv6: %r',
|
||||
security_groups, ipv4_rules, ipv6_rules, instance=instance)
|
||||
return ipv4_rules, ipv6_rules
|
||||
|
||||
def instance_filter_exists(self, instance, network_info):
|
||||
|
|
Loading…
Reference in New Issue