← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #56074

[Bug 1456512] Re: vpn and l3 agent has a conflict in icehouse.

  Thread PreviousDate PreviousThread Next 
[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456512

Title:
  vpn and l3 agent has a conflict in icehouse.

Status in neutron:
  Expired

Bug description:
  The test step:
  1. Create subnet named A and B.
  2. Create router named A and B.
  3. Add subnet A to router A, and set gateway for router A. then do same with B.
  4. Create vpn A, the vpn subnet  use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
  5. Create vpn B, the vpn subnet  use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.

  then test vpn, the subnet A and B can  communicate.

  But after I restart l3 agent or create a firewall( not rule problems)
  in the tenant, the subnet A and B can not communicate.

  I find some issue in the qrouter A or B's iptables nat table:

  vpn use one chain to prevent the SNAT, but after I restart l3 agent or
  create a firewall,  the chain order has been changed.

  like this:

  Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
  pkts bytes target prot opt in out source destination
  22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
  28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
  26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0

  Chain neutron-l3-agent-POSTROUTING (1 references)
  pkts bytes target prot opt in out source destination
  0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT

  Chain neutron-postrouting-bottom (1 references)
  pkts bytes target prot opt in out source destination
  22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
  25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0

  Chain neutron-l3-agent-snat (1 references)
  pkts bytes target prot opt in out source destination
  22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
  2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54

  Chain neutron-vpn-agen-POSTROUTING (1 references)
  pkts bytes target prot opt in out source destination
  1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
  0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT

  Chain neutron-vpn-agen-POSTROUTING (1 references)
  pkts bytes target prot opt in out source destination
  1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
  0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT

  so the packet has to snat first, and the vpn  is failure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456512/+subscriptions

References

  Thread PreviousDate PreviousThread Next