openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18563
Re: Strange network behavior
I should add, that it looks like none of the iptables rules are being setup
for the floating IP. It is bound to the right interface in ip addr, but my
iptables look as follows:
(You'll note that 10.0.40.129 is conspicuous by its absence)
Ideas?
Chain INPUT (policy ACCEPT 47238 packets, 20M bytes)
pkts bytes target prot opt in out source
destination
47393 20M nova-network-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
47238 20M nova-compute-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
47238 20M nova-api-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
225 18900 nova-filter-top all -- * * 0.0.0.0/0
0.0.0.0/0
208 17472 nova-network-FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 nova-api-FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 38296 packets, 23M bytes)
pkts bytes target prot opt in out source
destination
38667 23M nova-filter-top all -- * * 0.0.0.0/0
0.0.0.0/0
38296 23M nova-network-OUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
38296 23M nova-compute-OUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
38296 23M nova-api-OUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nova-api-FORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-api-INPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.250 tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-api-local (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-compute-FORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- br41 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * br41 0.0.0.0/0
0.0.0.0/0
Chain nova-compute-INPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-compute-OUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-compute-inst-2 (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
388 37807 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 nova-compute-provider all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.41.1
0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT all -- * * 10.0.41.0/24
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nova-compute-local (1 references)
pkts bytes target prot opt in out source
destination
388 37807 nova-compute-inst-2 all -- * * 0.0.0.0/0
10.0.41.4
Chain nova-compute-provider (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-compute-sg-fallback (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nova-filter-top (2 references)
pkts bytes target prot opt in out source
destination
38892 23M nova-network-local all -- * * 0.0.0.0/0
0.0.0.0/0
38892 23M nova-compute-local all -- * * 0.0.0.0/0
0.0.0.0/0
38504 23M nova-api-local all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nova-network-FORWARD (1 references)
pkts bytes target prot opt in out source
destination
208 17472 ACCEPT all -- br41 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * br41 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.41.2 udp dpt:1194
Chain nova-network-INPUT (1 references)
pkts bytes target prot opt in out source
destination
27 8856 ACCEPT udp -- br41 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- br41 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
128 8576 ACCEPT udp -- br41 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- br41 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
Chain nova-network-OUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain nova-network-local (1 references)
pkts bytes target prot opt in out source
destination
On 9 November 2012 17:14, Joe Warren-Meeks <joe.warren.meeks@xxxxxxxxx>wrote:
> Hi all,
>
> I've managed to get Openstack pretty much up and running as I wanted it. I
> do have, however, a rather strange networking issue.
>
> I created the network with
> nova-manage network create --fixed_range_v4=10.0.41.0/24 --num_networks=1
> --bridge=br41 --bridge_interface=eth0 --label=development
> --gateway=10.0.41.1 --dns1=10.0.0.2 --vlan=41 --project_id=XXXXXXX
>
> And i can boot instances fine. I've configured the default security group
> to allow port 22, 80 and ICMP -1 in and I can ping from my work station to
> the virtual instance ok:
>
> joe@kaneda:~$ ping 10.0.41.3
> PING 10.0.41.3 (10.0.41.3) 56(84) bytes of data.
> 64 bytes from 10.0.41.3: icmp_req=1 ttl=63 time=1.18 ms
>
> And i can ping from the virt back too:
> ubuntu@test:~$ ping 10.0.0.240
> PING 10.0.0.240 (10.0.0.240) 56(84) bytes of data.
> 64 bytes from 10.0.0.240: icmp_req=1 ttl=64 time=0.713 ms
>
>
> I can SSH out from the virt to a host in the outside world fine:
> ubuntu@test:~$ ssh joe@XXXXX
> joe@XXXXXX password:
> -bash: fortune: command not found
> joe@dixon:~ $
>
> BUT I can't ssh from the virt to my workstation, nor from my workstation
> to the Virt. Neither does http work.
>
> What I am seeing in Tcpdump is a lot of incorrect cksums. This happens
> with all Tcp connections.
>
> 17:12:38.539784 IP (tos 0x0, ttl 64, id 53611, offset 0, flags [DF], proto
> TCP (6), length 60)
> 10.0.0.240.56791 > 10.0.41.3.22: Flags [S], cksum 0x3e21 (incorrect ->
> 0x6de2), seq 2650163743, win 14600, options [mss 1460,sackOK,TS val
> 28089204 ecr 0,nop,wscale 6], length 0
>
>
> 17:12:38.585279 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
> (6), length 60)
> 10.0.41.3.22 > 10.0.0.240.56791: Flags [S.], cksum 0x3e21 (incorrect
> -> 0xe5c5), seq 1530502549, ack 3098447117, win 14480, options [mss
> 1460,sackOK,TS val 340493 ecr 28089204,nop,wscale 3], length 0
>
> Anyone come across this before?
>
> -- joe.
>
>
References
