4.4-series kernel vs. iptables
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Andrew
	Aug 8 2016, 3:07 PM

Description

I imaged Labvirt1012, 1013 and 1014 with the 4.4.0-28-generic kernel. Everything looked to be working fine, but after some exhaustive tests we determined that IPtables were totally ignoring any of the rules set by openstack security-groups... our VMs were entirely without firewalls.

It's yet unclear if that means that iptables are 100% broken with that kernel or if it's some complex interaction with nova-compute, but either way this is a major deal breaker for that kernel and needs more investigation.

Details

	Subject	Repo	Branch	Lines +/-
	Add modules-load.d/kmod configuration for br_netfilter for Linux >= 3.18	operations/puppet	production	+23 -0

Customize query in gerrit

Related Objects

Mentioned In: rOPUP72901d075789: Add modules-load.d/kmod configuration for br_netfilter for Linux >= 3.18
rOPUP8c8ae7b626a8: Add modprobe configuration for br_netfilter for Linux >= 3.18
rOPUP6e04191672a2: Add modprobe configuration for br_netfilter for Linux >= 3.18
rOPUP812218f9c569: Add modprobe configuration for br_netfilter for Linux >= 3.18
rOPUP72b35af63616: Add modprobe configuration for br_netfilter for Linux >= 3.18

Event Timeline

Andrew created this task.Aug 8 2016, 3:07 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2016, 3:07 PM

Paladox subscribed.Aug 8 2016, 3:09 PM

zhuyifei1999 subscribed.Aug 8 2016, 3:39 PM

Copying from IRC:

18:21 < paravoid> did you load the right netfilter modules?
18:21 < paravoid> you need a module for netfilter's FORWARD to catch bridged traffic
18:22 < paravoid> br_netfilter for sure, possibly others
18:23 < chasemp> Better qeustion for andrew, the testing in labtest was solely 3.16 so we backed down to that for consistency 
18:23 < paravoid> $ git describe --contains 34666d467cbf1e2e3c7bb15a63eccfb582cdd71f
18:23 < paravoid> v3.18-rc1~115^2~111^2~2
18:23 < paravoid>     netfilter: bridge: move br_netfilter out of the core
18:23 < paravoid>     Note that this is breaking compatibility for users that expect that
18:23 < paravoid>     bridge netfilter is going to be available after explicitly 'modprobe
18:23 < paravoid>     bridge' or via automatic load through brctl.
18:23 < paravoid>     
18:23 < paravoid>     However, the damage can be easily undone by modprobing br_netfilter.
18:23 < paravoid>     The bridge core also spots a message to provide a clue to people that
18:23 < paravoid>     didn't notice that this has been deprecated.
18:24 < paravoid> that sounds like it
18:24 < _joe_> yes
18:24 < chasemp> I would imagine so

(Just realized why "it's worth it, believe me")

MoritzMuehlenhoff subscribed.Aug 24 2016, 12:57 PM

MoritzMuehlenhoff claimed this task.Aug 24 2016, 4:43 PM

MoritzMuehlenhoff added a project: SRE.

Change 306633 had a related patch set uploaded (by Muehlenhoff):
Add modprobe configuration for br_netfilter for Linux >= 3.18

https://gerrit.wikimedia.org/r/306633

gerritbot added a project: Patch-For-Review.Aug 25 2016, 7:34 AM

Muehlenhoff mentioned this in rOPUP72b35af63616: Add modprobe configuration for br_netfilter for Linux >= 3.18.Aug 25 2016, 7:38 AM

Muehlenhoff mentioned this in rOPUP812218f9c569: Add modprobe configuration for br_netfilter for Linux >= 3.18.

Muehlenhoff mentioned this in rOPUP6e04191672a2: Add modprobe configuration for br_netfilter for Linux >= 3.18.Aug 25 2016, 7:48 AM

Muehlenhoff mentioned this in rOPUP8c8ae7b626a8: Add modprobe configuration for br_netfilter for Linux >= 3.18.Aug 25 2016, 9:13 AM

Muehlenhoff mentioned this in rOPUP72901d075789: Add modules-load.d/kmod configuration for br_netfilter for Linux >= 3.18.Aug 25 2016, 9:18 AM