yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32994
[Bug 1456512] [NEW] vpn and l3 agent has a conflict in icehouse.
Public bug reported:
The test step:
1. Create subnet named A and B.
2. Create router named A and B.
3. Add subnet A to router A, and set gateway for router A. then do same with B.
4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
then test vpn, the subnet A and B can communicate.
But after I restart l3 agent or create a firewall( not rule problems) in
the tenant, the subnet A and B can not communicate.
I find some issue in the qrouter A or B's iptables nat table:
vpn use one chain to prevent the SNAT, but after I restart l3 agent or
create a firewall, the chain order has been changed.
like this:
Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
so the packet has to snat first, and the vpn is failure.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
** Description changed:
The test step:
- 1. Create subnet named A and B.
- 2. Create router named A and B.
- 3. Add subnet A to router A, and set gateway for router A. then do same with B.
- 4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
- 5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
-
- then test vpn, the subnet A and B can communicate.
+ 1. Create subnet named A and B.
+ 2. Create router named A and B.
+ 3. Add subnet A to router A, and set gateway for router A. then do same with B.
+ 4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
+ 5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
- But after I restart l3 agent or create a firewall( not rule
- problems) in the tenant, the subnet A and B can not communicate.
+ then test vpn, the subnet A and B can communicate.
- I find some issue in the qrouter A or B's iptables nat table:
+ But after I restart l3 agent or create a firewall( not rule problems) in
+ the tenant, the subnet A and B can not communicate.
- vpn use one chain to prevent the SNAT, but after I restart l3 agent
- or create a firewall, the chain order has been changed.
+ I find some issue in the qrouter A or B's iptables nat table:
- like this:
+ vpn use one chain to prevent the SNAT, but after I restart l3 agent or
+ create a firewall, the chain order has been changed.
+ like this:
Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
- pkts bytes target prot opt in out source destination
- 22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
- 28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
+ pkts bytes target prot opt in out source destination
+ 22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
+ 28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-POSTROUTING (1 references)
- pkts bytes target prot opt in out source destination
+ pkts bytes target prot opt in out source destination
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-postrouting-bottom (1 references)
- pkts bytes target prot opt in out source destination
- 22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
+ pkts bytes target prot opt in out source destination
+ 22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-snat (1 references)
- pkts bytes target prot opt in out source destination
- 22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
+ pkts bytes target prot opt in out source destination
+ 22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54
Chain neutron-vpn-agen-POSTROUTING (1 references)
- pkts bytes target prot opt in out source destination
- 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
+ pkts bytes target prot opt in out source destination
+ 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-POSTROUTING (1 references)
- pkts bytes target prot opt in out source destination
- 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
+ pkts bytes target prot opt in out source destination
+ 1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
- so the packet has to snat first, and the vpn is failure.
+ so the packet has to snat first, and the vpn is failure.
** Description changed:
The test step:
1. Create subnet named A and B.
2. Create router named A and B.
3. Add subnet A to router A, and set gateway for router A. then do same with B.
4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
then test vpn, the subnet A and B can communicate.
But after I restart l3 agent or create a firewall( not rule problems) in
the tenant, the subnet A and B can not communicate.
I find some issue in the qrouter A or B's iptables nat table:
vpn use one chain to prevent the SNAT, but after I restart l3 agent or
create a firewall, the chain order has been changed.
like this:
Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
- so the packet has to snat first, and the vpn is failure.
+ so the packet has to snat first, and the vpn is failure.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456512
Title:
vpn and l3 agent has a conflict in icehouse.
Status in OpenStack Neutron (virtual network service):
New
Bug description:
The test step:
1. Create subnet named A and B.
2. Create router named A and B.
3. Add subnet A to router A, and set gateway for router A. then do same with B.
4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
then test vpn, the subnet A and B can communicate.
But after I restart l3 agent or create a firewall( not rule problems)
in the tenant, the subnet A and B can not communicate.
I find some issue in the qrouter A or B's iptables nat table:
vpn use one chain to prevent the SNAT, but after I restart l3 agent or
create a firewall, the chain order has been changed.
like this:
Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
so the packet has to snat first, and the vpn is failure.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456512/+subscriptions
Follow ups
References
