Allow operator to disable usage of random-fully

david-hill · david-hill · commit fa77abbc153d · 2022-08-26T13:17:34.000Z
In some specific use case, the cloud operator expects the source port of a packet to stay the same across all masquerading layer up to the destination host. With the implementation of the random-fully code, this behavior was changed as source_port is always rewritten no matter which type of architecture / network CIDRs is being used in the backend. This setting allows a user to fallback to the original behavior of the masquerading process which is to keep the source_port consistent across all layers. The initial random-fully fix prevents packet drops when duplicate tuples are generated from two different namespace when the source_ip:source_port goes toward the same destination so enabling this setting would allow this issue to show again. Perhaps a right approach here would be to fix this "racey" situation in the kernel by perhaps using the mac address as a seed to the tuple ... Change-Id: Idfe5e51007b9a3eaa48779cd01edbca2f586eee5 Closes-bug: #1987396 (cherry picked from commit bbefe52)
diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py
@@ -497,6 +497,10 @@ def random_fully(self):
         version = self._get_version()
         self.__class__._random_fully = utils.is_version_greater_equal(
             version, n_const.IPTABLES_RANDOM_FULLY_VERSION)
+
+        self._random_fully = self._random_fully and \
+            cfg.CONF.AGENT.use_random_fully
+
         return self._random_fully
 
     @property
diff --git a/neutron/conf/agent/common.py b/neutron/conf/agent/common.py
@@ -135,6 +135,9 @@
                        "of iptables-save. This option should not be turned "
                        "on for production systems because it imposes a "
                        "performance penalty.")),
+    cfg.BoolOpt('use_random_fully',
+                default=True,
+                help=_("Use random-fully in SNAT masquerade rules.")),
 ]
 
 PROCESS_MONITOR_OPTS = [
diff --git a/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml b/releasenotes/notes/use_random_fully-527b20bc524c308a.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Add ``use_random_fully`` setting to allow an operator to disable
+    the iptables random-fully property on an iptable rules.
+issues:
+  - |
+    If the ``use_random_fully`` setting is disabled, it will prevent
+    random fully from being used and if there're 2 guests in different
+    networks using the same source_ip and source_port and they try to
+    reach the same dest_ip and dest_port, packets might be dropped in
+    the kernel do to the racy tuple generation .   Disabling this
+    setting should only be done if source_port is really important such
+    as in network firewall ACLs and that the source_ip are never repeating
+    within the platform.

Original file line number	Diff line number	Diff line change
`@@ -135,6 +135,9 @@`
`135`	`135`	`"of iptables-save. This option should not be turned "`
`136`	`136`	`"on for production systems because it imposes a "`
`137`	`137`	`"performance penalty.")),`
	`138`	`+ cfg.BoolOpt('use_random_fully',`
	`139`	`+ default=True,`
	`140`	`+ help=_("Use random-fully in SNAT masquerade rules.")),`
`138`	`141`	`]`
`139`	`142`
`140`	`143`	`PROCESS_MONITOR_OPTS = [`