openstack team mailing list archive

[Belmiro Moreira <moreira.belmiro.email.lists@xxxxxxxxx>]

Hi Joe,
nova network filtering rules are preventing ip-spoofing.
There is a proposal to modify this behavior when using HA in instances. 
See thread: 
[openstack-dev] VM level HA. Changes in firewall.py question.

You can check with:
virsh nwfilter-dumpxml nova-base

cheers,
Belmiro

On Jan 21, 2013, at 12:25 PM, Joe Warren-Meeks <joe.warren.meeks@xxxxxxxxx> wrote:

> Hi guys,
> 
> I've got openstack essex configured with vlanmanager and an external gateway and all my networking runs ok generally.
> 
> However, I'm trying to setup Linux HA on two instances. They run on separate compute nodes and can see each other just fine. hb_takeover and hb_standby works perfectly. The problem is that nothing outside of the instance with the HA IP address can connect to it.
> 
> It seems that something is ignoring the arp is-at from the instance. Doing a tcpdump on the compute node's bridged network and the instance's eth0 I can arp requests and responses fine for its main IP, but when I try to get to the alias address, I see arp requests only on the compute side. On the instance side I see it responding, but this doesn't show up on the bridged interface on the compute node.
> 
> Has anyone seen this before? My google-fu is failing to find anything.
> 
> Kind regards
> 
>  -- joe.
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp