← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1490984] Re: instance binded floating ip cannot ping external gateway, bug i can ping the other pc in external network

 

mitaka has no problems, so fixed

** Changed in: neutron
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1490984

Title:
  instance binded floating ip cannot ping external gateway, bug i can
  ping the other pc in external network

Status in neutron:
  Fix Released

Bug description:
  
  instance(192.168.100.0/24) binded floating ip cannot ping external gateway(192.168.1.1), if I disassociate floating ip I can ping the gateway(192.168.1.1).

  I deploy openstack all in one physical compute following the guide:
  http://docs.openstack.org/kilo/install-
  guide/install/yum/content/ch_networking.html

  nova install in compute1 and compute1 as the hypervisor.
  [root@compute1 ~]# virsh list
   Id    Name                           State
  ----------------------------------------------------
   5     IaaS_openstack_controller_centos7.0 running
   6     IaaS_openstack_network_centos7.0 running
   7     IaaS_openstack_block1_centos7.0 running
   38    instance-0000000f              running
   39    instance-0000000e              running

  neutron has been installed in IaaS_openstack_network_centos7.0

  
  ------------------init the neutron network:
  [root@controller keystone]# neutron net-create ext-net --router:external --provider:physical_network external --provider:network_type flat
  [root@controller keystone]# neutron subnet-create ext-net 192.168.1.0/24 --name ext-subnet --allocation-pool start=192.168.1.240,end=192.168.1.250 --disable-dhcp --gateway 192.168.1.1
  [root@controller keystone]# neutron net-create demo-net
  [root@controller keystone]# neutron subnet-create demo-net 192.168.100.0/24 --name demo-subnet --gateway 192.168.100.1
  [root@controller keystone]# neutron router-create demo-router
  [root@controller keystone]# neutron router-interface-add demo-router demo-subnetc
  [root@controller keystone]# neutron router-gateway-set demo-router ext-net

  
  ------------------@network
  [root@network ~]# neutron agent-list
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
  | id                                   | agent_type         | host       | alive | admin_state_up | binary                    |
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
  | 0923f4c3-8f0a-4468-b239-011117942c32 | L3 agent           | compute1   | xxx   | True           | neutron-l3-agent          |
  | 1ce168ed-4d96-4c41-8bbd-6a9da22b3d24 | DHCP agent         | controller | xxx   | True           | neutron-dhcp-agent        |
  | 276d38c8-d2b7-4799-b1ee-849738a1dd44 | Metadata agent     | compute1   | xxx   | True           | neutron-metadata-agent    |
  | 565ed14a-bfde-4258-9df3-9a7819394410 | Metadata agent     | network    | :-)   | True           | neutron-metadata-agent    |
  | a8cfbb25-7323-4e6a-b29f-8c16c0e6e5ef | DHCP agent         | compute1   | xxx   | True           | neutron-dhcp-agent        |
  | bd81321b-888c-42ca-bf40-fe921f19a23c | DHCP agent         | network    | :-)   | True           | neutron-dhcp-agent        |
  | c7313ecd-0715-4a62-9b4c-19f1c4f364fc | Open vSwitch agent | compute1   | :-)   | True           | neutron-openvswitch-agent |
  | cdf31fd6-143d-4104-8b75-e378da2b11fd | L3 agent           | network    | :-)   | True           | neutron-l3-agent          |
  | ee2821f0-57f7-4cb0-85d4-a34a203ddb57 | Metadata agent     | controller | xxx   | True           | neutron-metadata-agent    |
  | f47e9e85-b7ee-4dcf-979a-7353c1e5b4b5 | Open vSwitch agent | network    | :-)   | True           | neutron-openvswitch-agent |
  +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
  [root@network ~]# ip netns list
  qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870
  qdhcp-c2ba1db5-1ce2-4e35-8ac5-31691b930156
  [root@network ~]# ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 ip a
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host
         valid_lft forever preferred_lft forever
  10: qr-346be01a-09: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
      link/ether fa:16:3e:f8:d1:e7 brd ff:ff:ff:ff:ff:ff
      inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-346be01a-09
         valid_lft forever preferred_lft forever
      inet6 fe80::f816:3eff:fef8:d1e7/64 scope link
         valid_lft forever preferred_lft forever
  11: qg-46e0fef7-b7: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
      link/ether fa:16:3e:4a:87:c3 brd ff:ff:ff:ff:ff:ff
      inet 192.168.1.240/24 brd 192.168.1.255 scope global qg-46e0fef7-b7
         valid_lft forever preferred_lft forever
      inet 192.168.1.244/32 brd 192.168.1.244 scope global qg-46e0fef7-b7
         valid_lft forever preferred_lft forever
      inet 192.168.1.242/32 brd 192.168.1.242 scope global qg-46e0fef7-b7
         valid_lft forever preferred_lft forever
      inet6 fe80::f816:3eff:fe4a:87c3/64 scope link
         valid_lft forever preferred_lft forever
  [root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 route
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  default         192.168.1.1     0.0.0.0         UG    0      0        0 qg-46e0fef7-b7
  192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 qg-46e0fef7-b7
  192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 qr-346be01a-09

  [root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -S
  -P PREROUTING ACCEPT
  -P INPUT ACCEPT
  -P OUTPUT ACCEPT
  -P POSTROUTING ACCEPT
  -N neutron-l3-agent-OUTPUT
  -N neutron-l3-agent-POSTROUTING
  -N neutron-l3-agent-PREROUTING
  -N neutron-l3-agent-float-snat
  -N neutron-l3-agent-snat
  -N neutron-postrouting-bottom
  -A PREROUTING -j neutron-l3-agent-PREROUTING
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING
  -A POSTROUTING -j neutron-postrouting-bottom
  -A neutron-l3-agent-OUTPUT -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
  -A neutron-l3-agent-OUTPUT -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
  -A neutron-l3-agent-POSTROUTING ! -i qg-46e0fef7-b7 ! -o qg-46e0fef7-b7 -m conntrack ! --ctstate DNAT -j ACCEPT
  -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
  -A neutron-l3-agent-PREROUTING -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
  -A neutron-l3-agent-PREROUTING -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
  -A neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.244
  -A neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
  -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
  -A neutron-l3-agent-snat -o qg-46e0fef7-b7 -j SNAT --to-source 192.168.1.240
  -A neutron-l3-agent-snat -m mark ! --mark 0x2 -m conntrack --ctstate DNAT -j SNAT --to-source 192.168.1.240
  -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

  
  ------------------------------------Qst:

  If I associate floating ip to instances(192.168.100.0/24), I cannot
  ping the external gateway(192.168.1.1) in intances, but I can ping the
  other pc(192.168.1.99) in the external network. and I can ping the
  floating ip(192.168.1.242) from external network(192.168.1.88).

  I cannot ping the gateway, but if I remove the neutron-l3-agent-float-snat rule, I can ping it:
  ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
  ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.242

  I found the iptables rule changed when I reassociate floating ip.

  the question is why?
  why I must remove the neutron-l3-agent-float-snat rule? I didn't find where's problem... 

  thank you!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1490984/+subscriptions


References