yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #01889
[Bug 1162626] Re: lb-vip agent does not have a route to the gw
Reviewed: https://review.openstack.org/25935
Committed: http://github.com/openstack/quantum/commit/65393c2c3cbbb142685965ee1f4177e0c2f0893e
Submitter: Jenkins
Branch: milestone-proposed
commit 65393c2c3cbbb142685965ee1f4177e0c2f0893e
Author: Aaron Rosen <arosen@xxxxxxxxxx>
Date: Mon Apr 1 15:26:12 2013 -0700
Fix lb-vip does not get route to default gw
Previously when creating a lb-vip it would be created without
a default gw. This patch fixes that and adds unit tests to check
that route add is called if the subnet has a gateway_ip.
Fixes bug 1162626
Change-Id: I155749fa6d9c843fca87a73f3cf85720aac26cfa
(cherry picked from commit 37b41833bf4f9500ee6be53d15298d0f4b964ea3)
** Changed in: quantum
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1162626
Title:
lb-vip agent does not have a route to the gw
Status in OpenStack Quantum (virtual network service):
Fix Released
Bug description:
When playing with the OVS plugin I noticed that security groups don't
work with lb-vip.
To reproduce create a lb-vip exactly as outlined here:
https://wiki.openstack.org/wiki/Quantum/LBaaS/HowToRun . Everything
works with the vip ip. Then I create and associate a floating ip. All
commands return fine. Then I notice I need to update the port:
| 725e5ce3-6432-4133-a695-baa5d651ec12 | vip-0d3787da-7748-4884-8c1b-
4427b521e6d0 | fa:16:3e:91:f7:fe | {"subnet_id":
"82294d13-5e55-4ae2-bc95-9d4e09ab4ebf", "ip_address": "10.0.0.8"} |
to change it's security group so that it can receive ingress traffic on tcp port 80. Even after I do that taffic does not get forwarded correctly over tcp port 80 to the floating ip as i don't get a response back.
$ quantum port-list
+--------------------------------------+------------------------------------------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------------------------------------------+-------------------+---------------------------------------------------------------------------------+
| 28e1de02-a0ce-44f9-97b0-7b8b58a55be8 | | fa:16:3e:b5:3f:54 | {"subnet_id": "60656200-9450-4da0-ab32-62f930875d4e", "ip_address": "10.0.0.2"} |
| 3fe591f0-316e-4ae3-8bdd-9be050ceade3 | | fa:16:3e:12:71:cd | {"subnet_id": "60656200-9450-4da0-ab32-62f930875d4e", "ip_address": "10.0.0.3"} |
| 857f9511-734c-4b2f-9323-4a2062ebe728 | vip-f7769c62-5ed9-46bc-88ee-95c44034623d | fa:16:3e:ee:23:97 | {"subnet_id": "60656200-9450-4da0-ab32-62f930875d4e", "ip_address": "10.0.0.4"} |
| 8bbe0fa8-1636-44c6-9c94-5c3bc46a35d8 | | fa:16:3e:56:97:28 | {"subnet_id": "60656200-9450-4da0-ab32-62f930875d4e", "ip_address": "10.0.0.1"} |
+--------------------------------------+------------------------------------------+-------------------+---------------------------------------------------------------------------------+
nicira@ubuntu:~/devstack$ quantum floatingip-list
+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| 2175ae35-9b92-438f-8c05-3720534ca734 | 10.0.0.4 | 172.24.4.227 | 857f9511-734c-4b2f-9323-4a2062ebe728 |
| 5ac0326d-0f87-4f84-aeae-b565ac6f2da3 | 10.0.0.3 | 172.24.4.228 | 3fe591f0-316e-4ae3-8bdd-9be050ceade3 |
+--------------------------------------+------------------+---------------------+--------------------------------------+
$ sudo iptables-save
# Generated by iptables-save v1.4.12 on Sun Mar 31 18:30:59 2013
*nat
:PREROUTING ACCEPT [229:19813]
:INPUT ACCEPT [4:1221]
:OUTPUT ACCEPT [278:16788]
:POSTROUTING ACCEPT [503:35380]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-postrouting-bottom - [0:0]
:quantum-openvswi-OUTPUT - [0:0]
:quantum-openvswi-POSTROUTING - [0:0]
:quantum-openvswi-PREROUTING - [0:0]
:quantum-openvswi-float-snat - [0:0]
:quantum-openvswi-snat - [0:0]
:quantum-postrouting-bottom - [0:0]
-A PREROUTING -j quantum-openvswi-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j quantum-openvswi-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j quantum-openvswi-POSTROUTING
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j quantum-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-postrouting-bottom -j nova-api-snat
-A quantum-openvswi-snat -j quantum-openvswi-float-snat
-A quantum-postrouting-bottom -j quantum-openvswi-snat
COMMIT
# Completed on Sun Mar 31 18:30:59 2013
# Generated by iptables-save v1.4.12 on Sun Mar 31 18:30:59 2013
*mangle
:PREROUTING ACCEPT [79493:86583976]
:INPUT ACCEPT [77635:86463479]
:FORWARD ACCEPT [1887:129706]
:OUTPUT ACCEPT [77723:89316390]
:POSTROUTING ACCEPT [79594:89441424]
:nova-api-POSTROUTING - [0:0]
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 31 18:30:59 2013
# Generated by iptables-save v1.4.12 on Sun Mar 31 18:30:59 2013
*filter
:INPUT ACCEPT [39176:11083185]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38987:13601666]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
:quantum-filter-top - [0:0]
:quantum-openvswi-FORWARD - [0:0]
:quantum-openvswi-INPUT - [0:0]
:quantum-openvswi-OUTPUT - [0:0]
:quantum-openvswi-i3fe591f0-3 - [0:0]
:quantum-openvswi-i857f9511-7 - [0:0]
:quantum-openvswi-local - [0:0]
:quantum-openvswi-o3fe591f0-3 - [0:0]
:quantum-openvswi-o857f9511-7 - [0:0]
:quantum-openvswi-sg-chain - [0:0]
:quantum-openvswi-sg-fallback - [0:0]
-A INPUT -j quantum-openvswi-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j quantum-filter-top
-A FORWARD -j quantum-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j quantum-filter-top
-A OUTPUT -j quantum-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.34.106.187/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
-A quantum-filter-top -j quantum-openvswi-local
-A quantum-openvswi-FORWARD -m physdev --physdev-out tap857f9511-73 --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-FORWARD -m physdev --physdev-in tap857f9511-73 --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-FORWARD -m physdev --physdev-out tap3fe591f0-31 --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-FORWARD -m physdev --physdev-in tap3fe591f0-31 --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-INPUT -m physdev --physdev-in tap857f9511-73 --physdev-is-bridged -j quantum-openvswi-o857f9511-7
-A quantum-openvswi-INPUT -m physdev --physdev-in tap3fe591f0-31 --physdev-is-bridged -j quantum-openvswi-o3fe591f0-3
-A quantum-openvswi-i3fe591f0-3 -m state --state INVALID -j DROP
-A quantum-openvswi-i3fe591f0-3 -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-i3fe591f0-3 -p tcp -m tcp --dport 80 -j RETURN
-A quantum-openvswi-i3fe591f0-3 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-i3fe591f0-3 -j quantum-openvswi-sg-fallback
-A quantum-openvswi-i857f9511-7 -m state --state INVALID -j DROP
-A quantum-openvswi-i857f9511-7 -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-i857f9511-7 -p tcp -m tcp --dport 80 -j RETURN
-A quantum-openvswi-i857f9511-7 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-i857f9511-7 -j quantum-openvswi-sg-fallback
-A quantum-openvswi-o3fe591f0-3 -m mac ! --mac-source FA:16:3E:12:71:CD -j DROP
-A quantum-openvswi-o3fe591f0-3 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A quantum-openvswi-o3fe591f0-3 ! -s 10.0.0.3/32 -j DROP
-A quantum-openvswi-o3fe591f0-3 -p udp -m udp --sport 67 --dport 68 -j DROP
-A quantum-openvswi-o3fe591f0-3 -m state --state INVALID -j DROP
-A quantum-openvswi-o3fe591f0-3 -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-o3fe591f0-3 -j RETURN
-A quantum-openvswi-o3fe591f0-3 -j quantum-openvswi-sg-fallback
-A quantum-openvswi-o857f9511-7 -m mac ! --mac-source FA:16:3E:EE:23:97 -j DROP
-A quantum-openvswi-o857f9511-7 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A quantum-openvswi-o857f9511-7 ! -s 10.0.0.4/32 -j DROP
-A quantum-openvswi-o857f9511-7 -p udp -m udp --sport 67 --dport 68 -j DROP
-A quantum-openvswi-o857f9511-7 -m state --state INVALID -j DROP
-A quantum-openvswi-o857f9511-7 -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-o857f9511-7 -j RETURN
-A quantum-openvswi-o857f9511-7 -j quantum-openvswi-sg-fallback
-A quantum-openvswi-sg-chain -m physdev --physdev-out tap857f9511-73 --physdev-is-bridged -j quantum-openvswi-i857f9511-7
-A quantum-openvswi-sg-chain -m physdev --physdev-in tap857f9511-73 --physdev-is-bridged -j quantum-openvswi-o857f9511-7
-A quantum-openvswi-sg-chain -m physdev --physdev-out tap3fe591f0-31 --physdev-is-bridged -j quantum-openvswi-i3fe591f0-3
-A quantum-openvswi-sg-chain -m physdev --physdev-in tap3fe591f0-31 --physdev-is-bridged -j quantum-openvswi-o3fe591f0-3
-A quantum-openvswi-sg-chain -j ACCEPT
-A quantum-openvswi-sg-fallback -j DROP
COMMIT
# Completed on Sun Mar 31 18:30:59 2013
To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1162626/+subscriptions
