← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #36707

[Bug 1483315] [NEW] ebtables ARP rules don't account for floating IPs on LinuxBridge

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The new ebtables ARP filtering rules don't account for floating IPs,
which blocks ARP replies from the qrouter netns the float lives in,
effectively blocking traffic to the float and thus the instance. Looking
at the ebtables code, rules are currently only added for ports with port
security enabled (port_filter:True), IPs in the fixed_ips list and IPs
in the allowed-address pairs list for a given port. Floating IPs do not
have port security enabled, aren't fixed_ips and aren't automatically
inserted into router gateway port AAPs.

This is an example ebtables -L --Lc list of the filter table on the root namespace where the router is:
http://paste.openstack.org/show/412384/

192.168.74.0/24 is the private instance network
172.29.248.0/22 is the public network

192.168.74.1 is the router inside IP
192.168.74.2 is the DHCP server IP
192.168.74.3 is the instance IP

172.29.248.2 is the router gateway/outside IP
172.29.248.3 is the DHCP server IP (forgot to disable for the public)
172.29.248.8 is the floating IP

As you can see, the floating IP is not in the rules, which results in
ARP replies from the qrouter namespace being dropped.

Adding the exception to ebtables results in working traffic, like this (line 18):
http://paste.openstack.org/show/412386/

For reference, here's ebtables from the compute node along with the instance information:
http://paste.openstack.org/show/412387/

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1483315

Title:
  ebtables ARP rules don't account for floating IPs on LinuxBridge

Status in neutron:
  New

Bug description:
  The new ebtables ARP filtering rules don't account for floating IPs,
  which blocks ARP replies from the qrouter netns the float lives in,
  effectively blocking traffic to the float and thus the instance.
  Looking at the ebtables code, rules are currently only added for ports
  with port security enabled (port_filter:True), IPs in the fixed_ips
  list and IPs in the allowed-address pairs list for a given port.
  Floating IPs do not have port security enabled, aren't fixed_ips and
  aren't automatically inserted into router gateway port AAPs.

  This is an example ebtables -L --Lc list of the filter table on the root namespace where the router is:
  http://paste.openstack.org/show/412384/

  192.168.74.0/24 is the private instance network
  172.29.248.0/22 is the public network

  192.168.74.1 is the router inside IP
  192.168.74.2 is the DHCP server IP
  192.168.74.3 is the instance IP

  172.29.248.2 is the router gateway/outside IP
  172.29.248.3 is the DHCP server IP (forgot to disable for the public)
  172.29.248.8 is the floating IP

  As you can see, the floating IP is not in the rules, which results in
  ARP replies from the qrouter namespace being dropped.

  Adding the exception to ebtables results in working traffic, like this (line 18):
  http://paste.openstack.org/show/412386/

  For reference, here's ebtables from the compute node along with the instance information:
  http://paste.openstack.org/show/412387/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1483315/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next