yahoo-eng-team team mailing list archive

[Eugene Nikanorov <enikanorov@xxxxxxxxxxxx>]

** Changed in: neutron
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1174657

Title:
  metadata IP 169.254.169.254 routing breaks RFC3927 and does not work
  on Windows starting from WS 2008

Status in neutron:
  Fix Released

Bug description:
  The Quantum L3 Linux Agent handles metadata IP access with the
  following rule:

  -A quantum-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp
  --dport 80 -j REDIRECT --to-ports 9697

  obtained with:  sudo ip netns exec qrouter-<router-id> iptables-save

  
  169.254.x.x link local addresses are described in RFC3927 whose section 2.6.2 clearly states:

  "The host MUST NOT send a packet with an IPv4 Link-Local destination
  address to any router for forwarding."

  And on section 2.7:

  "An IPv4 packet whose source and/or destination address is in the
  169.254/16 prefix MUST NOT be sent to any router for forwarding, and
  any network device receiving such a packet MUST NOT forward it,
  regardless of the TTL in the IPv4 header."

  Ref: http://tools.ietf.org/html/rfc3927#section-2.6.2

  
  Linux does not enforce this rule, but Windows starting with 2008 and Vista does, which means that the metadata IP 169.254.169.254 is not accessible from a Windows guest (tested on Windows Server 2012 on Hyper-V).

  
  The current workaround consists in adding explicitly a static route on the Windows guest with:

  route add 169.254.169.254 mask 255.255.255.255 <router-ip>

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1174657/+subscriptions