yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37522
[Bug 1490984] [NEW] instance binded floating ip cannot ping external gateway, bug i can ping the other pc in external network
Public bug reported:
instance(192.168.100.0/24) binded floating ip cannot ping external gateway(192.168.1.1), if I disassociate floating ip I can ping the gateway(192.168.1.1).
I deploy openstack all in one physical compute following the guide:
http://docs.openstack.org/kilo/install-
guide/install/yum/content/ch_networking.html
nova install in compute1 and compute1 as the hypervisor.
[root@compute1 ~]# virsh list
Id Name State
----------------------------------------------------
5 IaaS_openstack_controller_centos7.0 running
6 IaaS_openstack_network_centos7.0 running
7 IaaS_openstack_block1_centos7.0 running
38 instance-0000000f running
39 instance-0000000e running
neutron has been installed in IaaS_openstack_network_centos7.0
------------------init the neutron network:
[root@controller keystone]# neutron net-create ext-net --router:external --provider:physical_network external --provider:network_type flat
[root@controller keystone]# neutron subnet-create ext-net 192.168.1.0/24 --name ext-subnet --allocation-pool start=192.168.1.240,end=192.168.1.250 --disable-dhcp --gateway 192.168.1.1
[root@controller keystone]# neutron net-create demo-net
[root@controller keystone]# neutron subnet-create demo-net 192.168.100.0/24 --name demo-subnet --gateway 192.168.100.1
[root@controller keystone]# neutron router-create demo-router
[root@controller keystone]# neutron router-interface-add demo-router demo-subnetc
[root@controller keystone]# neutron router-gateway-set demo-router ext-net
------------------@network
[root@network ~]# neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 0923f4c3-8f0a-4468-b239-011117942c32 | L3 agent | compute1 | xxx | True | neutron-l3-agent |
| 1ce168ed-4d96-4c41-8bbd-6a9da22b3d24 | DHCP agent | controller | xxx | True | neutron-dhcp-agent |
| 276d38c8-d2b7-4799-b1ee-849738a1dd44 | Metadata agent | compute1 | xxx | True | neutron-metadata-agent |
| 565ed14a-bfde-4258-9df3-9a7819394410 | Metadata agent | network | :-) | True | neutron-metadata-agent |
| a8cfbb25-7323-4e6a-b29f-8c16c0e6e5ef | DHCP agent | compute1 | xxx | True | neutron-dhcp-agent |
| bd81321b-888c-42ca-bf40-fe921f19a23c | DHCP agent | network | :-) | True | neutron-dhcp-agent |
| c7313ecd-0715-4a62-9b4c-19f1c4f364fc | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent |
| cdf31fd6-143d-4104-8b75-e378da2b11fd | L3 agent | network | :-) | True | neutron-l3-agent |
| ee2821f0-57f7-4cb0-85d4-a34a203ddb57 | Metadata agent | controller | xxx | True | neutron-metadata-agent |
| f47e9e85-b7ee-4dcf-979a-7353c1e5b4b5 | Open vSwitch agent | network | :-) | True | neutron-openvswitch-agent |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
[root@network ~]# ip netns list
qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870
qdhcp-c2ba1db5-1ce2-4e35-8ac5-31691b930156
[root@network ~]# ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: qr-346be01a-09: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:f8:d1:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-346be01a-09
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fef8:d1e7/64 scope link
valid_lft forever preferred_lft forever
11: qg-46e0fef7-b7: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:4a:87:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.240/24 brd 192.168.1.255 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet 192.168.1.244/32 brd 192.168.1.244 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet 192.168.1.242/32 brd 192.168.1.242 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe4a:87c3/64 scope link
valid_lft forever preferred_lft forever
[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 qg-46e0fef7-b7
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-46e0fef7-b7
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-346be01a-09
[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-OUTPUT -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-POSTROUTING ! -i qg-46e0fef7-b7 ! -o qg-46e0fef7-b7 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-PREROUTING -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.244
-A neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-46e0fef7-b7 -j SNAT --to-source 192.168.1.240
-A neutron-l3-agent-snat -m mark ! --mark 0x2 -m conntrack --ctstate DNAT -j SNAT --to-source 192.168.1.240
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat
------------------------------------Qst:
If I associate floating ip to instances(192.168.100.0/24), I cannot ping
the external gateway(192.168.1.1) in intances, but I can ping the other
pc(192.168.1.99) in the external network. and I can ping the floating
ip(192.168.1.242) from external network(192.168.1.88).
I cannot ping the gateway, but if I remove the neutron-l3-agent-float-snat rule, I can ping it:
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.242
I found the iptables rule changed when I reassociate floating ip.
the question is why?
why I must remove the neutron-l3-agent-float-snat rule? I didn't find where's problem...
thank you!
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1490984
Title:
instance binded floating ip cannot ping external gateway, bug i can
ping the other pc in external network
Status in neutron:
New
Bug description:
instance(192.168.100.0/24) binded floating ip cannot ping external gateway(192.168.1.1), if I disassociate floating ip I can ping the gateway(192.168.1.1).
I deploy openstack all in one physical compute following the guide:
http://docs.openstack.org/kilo/install-
guide/install/yum/content/ch_networking.html
nova install in compute1 and compute1 as the hypervisor.
[root@compute1 ~]# virsh list
Id Name State
----------------------------------------------------
5 IaaS_openstack_controller_centos7.0 running
6 IaaS_openstack_network_centos7.0 running
7 IaaS_openstack_block1_centos7.0 running
38 instance-0000000f running
39 instance-0000000e running
neutron has been installed in IaaS_openstack_network_centos7.0
------------------init the neutron network:
[root@controller keystone]# neutron net-create ext-net --router:external --provider:physical_network external --provider:network_type flat
[root@controller keystone]# neutron subnet-create ext-net 192.168.1.0/24 --name ext-subnet --allocation-pool start=192.168.1.240,end=192.168.1.250 --disable-dhcp --gateway 192.168.1.1
[root@controller keystone]# neutron net-create demo-net
[root@controller keystone]# neutron subnet-create demo-net 192.168.100.0/24 --name demo-subnet --gateway 192.168.100.1
[root@controller keystone]# neutron router-create demo-router
[root@controller keystone]# neutron router-interface-add demo-router demo-subnetc
[root@controller keystone]# neutron router-gateway-set demo-router ext-net
------------------@network
[root@network ~]# neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 0923f4c3-8f0a-4468-b239-011117942c32 | L3 agent | compute1 | xxx | True | neutron-l3-agent |
| 1ce168ed-4d96-4c41-8bbd-6a9da22b3d24 | DHCP agent | controller | xxx | True | neutron-dhcp-agent |
| 276d38c8-d2b7-4799-b1ee-849738a1dd44 | Metadata agent | compute1 | xxx | True | neutron-metadata-agent |
| 565ed14a-bfde-4258-9df3-9a7819394410 | Metadata agent | network | :-) | True | neutron-metadata-agent |
| a8cfbb25-7323-4e6a-b29f-8c16c0e6e5ef | DHCP agent | compute1 | xxx | True | neutron-dhcp-agent |
| bd81321b-888c-42ca-bf40-fe921f19a23c | DHCP agent | network | :-) | True | neutron-dhcp-agent |
| c7313ecd-0715-4a62-9b4c-19f1c4f364fc | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent |
| cdf31fd6-143d-4104-8b75-e378da2b11fd | L3 agent | network | :-) | True | neutron-l3-agent |
| ee2821f0-57f7-4cb0-85d4-a34a203ddb57 | Metadata agent | controller | xxx | True | neutron-metadata-agent |
| f47e9e85-b7ee-4dcf-979a-7353c1e5b4b5 | Open vSwitch agent | network | :-) | True | neutron-openvswitch-agent |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
[root@network ~]# ip netns list
qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870
qdhcp-c2ba1db5-1ce2-4e35-8ac5-31691b930156
[root@network ~]# ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: qr-346be01a-09: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:f8:d1:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-346be01a-09
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fef8:d1e7/64 scope link
valid_lft forever preferred_lft forever
11: qg-46e0fef7-b7: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:4a:87:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.240/24 brd 192.168.1.255 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet 192.168.1.244/32 brd 192.168.1.244 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet 192.168.1.242/32 brd 192.168.1.242 scope global qg-46e0fef7-b7
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe4a:87c3/64 scope link
valid_lft forever preferred_lft forever
[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 qg-46e0fef7-b7
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-46e0fef7-b7
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-346be01a-09
[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-OUTPUT -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-POSTROUTING ! -i qg-46e0fef7-b7 ! -o qg-46e0fef7-b7 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-PREROUTING -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.244
-A neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-46e0fef7-b7 -j SNAT --to-source 192.168.1.240
-A neutron-l3-agent-snat -m mark ! --mark 0x2 -m conntrack --ctstate DNAT -j SNAT --to-source 192.168.1.240
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat
------------------------------------Qst:
If I associate floating ip to instances(192.168.100.0/24), I cannot
ping the external gateway(192.168.1.1) in intances, but I can ping the
other pc(192.168.1.99) in the external network. and I can ping the
floating ip(192.168.1.242) from external network(192.168.1.88).
I cannot ping the gateway, but if I remove the neutron-l3-agent-float-snat rule, I can ping it:
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.242
I found the iptables rule changed when I reassociate floating ip.
the question is why?
why I must remove the neutron-l3-agent-float-snat rule? I didn't find where's problem...
thank you!
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1490984/+subscriptions
Follow ups
