Open Stack

Hi Derek,

Yes, these rules would need to be added inside the router namespace when it
is created and it seems to me it is a workable solution. I will raise this
work in the next L3 sub-team meeting, so we keep an eye on the patches /
progress you make

Regards

Miguel

On Mon, Jan 7, 2019 at 11:54 AM Derek Higgins <derekh at redhat.com> wrote:

> On Mon, 7 Jan 2019 at 17:08, Clark Boylan <cboylan at sapwetik.org> wrote:
> >
> > On Mon, Jan 7, 2019, at 8:48 AM, Julia Kreger wrote:
> > > Thanks for bringing this up Derek!
> > > Comments below.
> > >
> > > On Mon, Jan 7, 2019 at 8:30 AM Derek Higgins <derekh at redhat.com>
> wrote:
> > > >
> > > > Hi All,
> > > >
> > > > Shortly before the holidays CI jobs moved from xenial to bionic, for
> > > > Ironic this meant a bunch failures[1], all have now been dealt with,
> > > > with the exception of the UEFI job. It turns out that during this job
> > > > our (virtual) baremetal nodes use tftp to download a ipxe image. In
> > > > order to track these tftp connections we have been making use of the
> > > > fact that nf_conntrack_helper has been enabled by default. In newer
> > > > kernel versions[2] this is no longer the case and I'm now trying to
> > > > figure out the best way to deal with the new behaviour. I've put
> > > > together some possible solutions along with some details on why they
> > > > are not ideal and would appreciate some opinions
> > >
> > > The git commit message suggests that users should explicitly put in
> rules such
> > > that the traffic is matched. I feel like the kernel change ends up
> > > being a behavior
> > > change in this case.
> > >
> > > I think the reasonable path forward is to have a configuration
> > > parameter that the
> > > l3 agent can use to determine to set the netfilter connection tracker
> helper.
> > >
> > > Doing so, allows us to raise this behavior change to operators
> minimizing the
> > > need of them having to troubleshoot it in production, and gives them a
> choice
> > > in the direction that they wish to take.
> >
> > https://home.regit.org/netfilter-en/secure-use-of-helpers/ seems to
> cover this. Basically you should explicitly enable specific helpers when
> you need them rather than relying on the auto helper rules.
>
> Thanks, I forgot to point out the option of adding these rules, If I
> understand it correctly they would need to be added inside the router
> namespace when neutron creates it, somebody from neutron might be able
> to indicate if this is a workable solution.
>
> >
> > Maybe even avoid the configuration option entirely if ironic and neutron
> can set the required helper for tftp when tftp is used?
> >
> > >
> > > [trim]
> > >
> >
> > [more trimming]
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190113/b69fbef5/attachment.html>