← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47089

[Bug 1551530] [NEW] With snat disabled legacy router Pings to floating IPs replied with fixed-ips

  Thread PreviousDate PreviousThread Next 
Public bug reported:

On my single node devstack setup, there are 2 VMs hosted. VM1 has no floating IP assigned. VM2 has a floating IP assigned. From VM1, ping to VM2 using the floating IP. Ping output reports the replies comes from VM2's fixed ip address.
The reply should be from VM2's floating ip address.

VM1: 10.0.0.4
VM2: 10.0.0.3  floating ip:172.24.4.4

$ ping 172.24.4.4 -c 1 -W 1
PING 172.24.4.4 (172.24.4.4): 56 data bytes
64 bytes from 10.0.0.3: seq=0 ttl=64 time=3.440 ms

This will only happen for legacy router with snat disabled, and at the
same time, VM1 and VM2 are in the same subnet.

Compared the iptables, this following rule is missed when snat is
disabled.

Chain neutron-vpn-agen-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.6

This rule will SNAT internal traffic to floatingip. Without this rule,
the packet of VM2 replying VM1 will be treated as a traffic inside
subnet, and these traffic will not go through router. As a result, the
DNAT record in router namespace will not work for reply packet.

The intentional fix will add the mentioned iptables rule, no matter of
snat enabling. So, the packet of VM2 replying VM1 will dest to
<172.24.4.6>, and go through router namespace. As a result, the DNAT and
SNAT record will work to make things right.

** Affects: neutron
     Importance: Undecided
     Assignee: Hong Hui Xiao (xiaohhui)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Hong Hui Xiao (xiaohhui)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1551530

Title:
  With snat disabled legacy router Pings to floating IPs replied with
  fixed-ips

Status in neutron:
  New

Bug description:
  On my single node devstack setup, there are 2 VMs hosted. VM1 has no floating IP assigned. VM2 has a floating IP assigned. From VM1, ping to VM2 using the floating IP. Ping output reports the replies comes from VM2's fixed ip address.
  The reply should be from VM2's floating ip address.

  VM1: 10.0.0.4
  VM2: 10.0.0.3  floating ip:172.24.4.4

  $ ping 172.24.4.4 -c 1 -W 1
  PING 172.24.4.4 (172.24.4.4): 56 data bytes
  64 bytes from 10.0.0.3: seq=0 ttl=64 time=3.440 ms

  This will only happen for legacy router with snat disabled, and at the
  same time, VM1 and VM2 are in the same subnet.

  Compared the iptables, this following rule is missed when snat is
  disabled.

  Chain neutron-vpn-agen-snat (1 references)
   pkts bytes target     prot opt in     out     source               destination         
      1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.6

  This rule will SNAT internal traffic to floatingip. Without this rule,
  the packet of VM2 replying VM1 will be treated as a traffic inside
  subnet, and these traffic will not go through router. As a result, the
  DNAT record in router namespace will not work for reply packet.

  The intentional fix will add the mentioned iptables rule, no matter of
  snat enabling. So, the packet of VM2 replying VM1 will dest to
  <172.24.4.6>, and go through router namespace. As a result, the DNAT
  and SNAT record will work to make things right.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1551530/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next