Merge "Add debug option to verify iptables rules"

2016-08-15 18:04:23 +00:00 · 2016-08-15 18:04:23 +00:00 · 730da40778
parent 4fa371436d 19dbbe6f00
commit 730da40778
4 changed files with 27 additions and 1 deletions
--- a/neutron/agent/common/config.py
+++ b/neutron/agent/common/config.py
@ -64,6 +64,12 @@ IPTABLES_OPTS = [
                       "generated iptables rules that describe each rule's "
                       "purpose. System must support the iptables comments "
                       "module for addition of comments.")),
+    cfg.BoolOpt('debug_iptables_rules', default=False,
+                help=_("Duplicate every iptables difference calculation to "
+                       "ensure the format being generated matches the format "
+                       "of iptables-save. This option should not be turned "
+                       "on for production systems because it imposes a "
+                       "performance penalty.")),
 ]

 PROCESS_MONITOR_OPTS = [
--- a/neutron/agent/linux/iptables_manager.py
+++ b/neutron/agent/linux/iptables_manager.py
@ -412,6 +412,9 @@ class IptablesManager(object):
        finally:
            try:
                self.defer_apply_off()
+            except n_exc.IpTablesApplyException:
+                # already in the format we want, just reraise
+                raise
            except Exception:
                msg = _('Failure applying iptables rules')
                LOG.exception(msg)
@ -436,7 +439,16 @@ class IptablesManager(object):
            lock_name += '-' + self.namespace

        with lockutils.lock(lock_name, utils.SYNCHRONIZED_PREFIX, True):
-            return self._apply_synchronized()
+            first = self._apply_synchronized()
+            if not cfg.CONF.AGENT.debug_iptables_rules:
+                return first
+            second = self._apply_synchronized()
+            if second:
+                msg = (_("IPTables Rules did not converge. Diff: %s") %
+                       '\n'.join(second))
+                LOG.error(msg)
+                raise n_exc.IpTablesApplyException(msg)
+            return first

    def get_rules_for_table(self, table):
        """Runs iptables-save on a table and returns the results."""
--- a/neutron/tests/contrib/gate_hook.sh
+++ b/neutron/tests/contrib/gate_hook.sh
@ -54,6 +54,7 @@ case $VENV in
        start_new_ovs
    fi

+    load_conf_hook iptables_verify
    # Make the workspace owned by the stack user
    sudo chown -R $STACK_USER:$STACK_USER $BASE
    ;;
@ -66,6 +67,9 @@ case $VENV in
    load_rc_hook qos
    load_rc_hook trunk
    load_conf_hook osprofiler
+    if [[ "$VENV" =~ "dsvm-scenario" ]]; then
+        load_conf_hook iptables_verify
+    fi
    if [[ "$VENV" =~ "pecan" ]]; then
        load_conf_hook pecan
    fi
--- a/neutron/tests/contrib/hooks/iptables_verify
+++ b/neutron/tests/contrib/hooks/iptables_verify
@ -0,0 +1,4 @@
+[[post-config|/etc/neutron/neutron.conf]]
+
+[AGENT]
+debug_iptables_rules=True