yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #56074
[Bug 1456512] Re: vpn and l3 agent has a conflict in icehouse.
[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456512
Title:
vpn and l3 agent has a conflict in icehouse.
Status in neutron:
Expired
Bug description:
The test step:
1. Create subnet named A and B.
2. Create router named A and B.
3. Add subnet A to router A, and set gateway for router A. then do same with B.
4. Create vpn A, the vpn subnet use subnet A, peer gateway use router B's gateway, peer subnet use subnet B.
5. Create vpn B, the vpn subnet use subnet B, peer gateway use router A's gateway, peer subnet use subnet A.
then test vpn, the subnet A and B can communicate.
But after I restart l3 agent or create a firewall( not rule problems)
in the tenant, the subnet A and B can not communicate.
I find some issue in the qrouter A or B's iptables nat table:
vpn use one chain to prevent the SNAT, but after I restart l3 agent or
create a firewall, the chain order has been changed.
like this:
Chain POSTROUTING (policy ACCEPT 19 packets, 1447 bytes)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
28 2167 neutron-postrouting-bottom all – * * 0.0.0.0/0 0.0.0.0/0
26 1999 neutron-vpn-agen-POSTROUTING all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-snat all – * * 0.0.0.0/0 0.0.0.0/0
25 1915 neutron-vpn-agen-snat all – * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-snat (1 references)
pkts bytes target prot opt in out source destination
22 1699 neutron-l3-agent-float-snat all – * * 0.0.0.0/0 0.0.0.0/0
2 168 SNAT all – * * 111.111.111.0/24 0.0.0.0/0 to:12.12.12.54
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all – * * 111.111.111.0/24 123.123.123.0/24 policy match dir out pol ipsec
0 0 ACCEPT all – !qg-bd458156-6e !qg-bd458156-6e 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
so the packet has to snat first, and the vpn is failure.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456512/+subscriptions
References