diff options
author | David Hill <dhill@redhat.com> | 2022-08-22 17:03:49 -0400 |
---|---|---|
committer | David Hill <dhill@redhat.com> | 2022-08-25 16:48:45 -0400 |
commit | bbefe5285e7ab799422fab81488f57c9c22769b6 (patch) | |
tree | c8388e637f1637160b1ce149e74b32b63d6aa2ee /releasenotes | |
parent | 7a743ad1d93ceaa9eeb13c65bd07b55783348915 (diff) | |
download | neutron-bbefe5285e7ab799422fab81488f57c9c22769b6.tar.gz |
Allow operator to disable usage of random-fully
In some specific use case, the cloud operator expects the source port
of a packet to stay the same across all masquerading layer up to the
destination host. With the implementation of the random-fully code,
this behavior was changed as source_port is always rewritten no matter
which type of architecture / network CIDRs is being used in the backend.
This setting allows a user to fallback to the original behavior of the
masquerading process which is to keep the source_port consistent across
all layers. The initial random-fully fix prevents packet drops when
duplicate tuples are generated from two different namespace when the
source_ip:source_port goes toward the same destination so enabling this
setting would allow this issue to show again. Perhaps a right approach
here would be to fix this "racey" situation in the kernel by perhaps
using the mac address as a seed to the tuple ...
Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5
Closes-bug: #1987396
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/use_random_fully-527b20bc524c308a.yaml | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml new file mode 100644 index 0000000000..76fb36590c --- /dev/null +++ b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + Add ``use_random_fully`` setting to allow an operator to disable + the iptables random-fully property on an iptable rules. +issues: + - | + If the ``use_random_fully`` setting is disabled, it will prevent + random fully from being used and if there're 2 guests in different + networks using the same source_ip and source_port and they try to + reach the same dest_ip and dest_port, packets might be dropped in + the kernel do to the racy tuple generation . Disabling this + setting should only be done if source_port is really important such + as in network firewall ACLs and that the source_ip are never repeating + within the platform. |