← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #58020

[Bug 1635219] [NEW] Linux Bridge - Multiple Interfaces - Iptables Rules

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hello,

we are trying to have multiple IPv4 and IPv6 addresses on the same Nova
instance.

We are using IPv6 router aggregation so if we want multiple IPv6
addresses we need multiple interfaces. Also we had the problem that DHCP
from Network Manager only works with one IP, so each IPv4 address needs
also a own interface. That's the reason why we decided to add for each
IPv4/IPv6 pair a new network interface.

But there is one problem, the Linux OS adds multiple default routes with
different metrics. So if you send a packet from a non-main IP address
the packet is leaving the server on the main interface. So only the
first IP working. And this is limited by iptables in OpenStack.

Neutron creates this following rule for each interface:

Chain neutron-linuxbri-sdb819e32-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       10.67.1.45           0.0.0.0/0            MAC FA:16:3E:EA:3D:EA /* Allow traffic from defined IP/MAC pairs. */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Drop traffic without an IP/MAC allow rule. */

Each interface does only allow his own IP. But to make this work each IP
from each interface must be whitelisted. Disabling iptables is also no
option because we need this kind of protection.

Is there any chance to configure this in Neutron? Or is there a better
solution to have multiple IPs with Linux Bridge?

Regards,
Alexander

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: iptables linuxbridge

** Tags added: linuxbridge

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1635219

Title:
  Linux Bridge - Multiple Interfaces - Iptables Rules

Status in neutron:
  New

Bug description:
  Hello,

  we are trying to have multiple IPv4 and IPv6 addresses on the same
  Nova instance.

  We are using IPv6 router aggregation so if we want multiple IPv6
  addresses we need multiple interfaces. Also we had the problem that
  DHCP from Network Manager only works with one IP, so each IPv4 address
  needs also a own interface. That's the reason why we decided to add
  for each IPv4/IPv6 pair a new network interface.

  But there is one problem, the Linux OS adds multiple default routes
  with different metrics. So if you send a packet from a non-main IP
  address the packet is leaving the server on the main interface. So
  only the first IP working. And this is limited by iptables in
  OpenStack.

  Neutron creates this following rule for each interface:

  Chain neutron-linuxbri-sdb819e32-1 (1 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 RETURN     all  --  *      *       10.67.1.45           0.0.0.0/0            MAC FA:16:3E:EA:3D:EA /* Allow traffic from defined IP/MAC pairs. */
      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Drop traffic without an IP/MAC allow rule. */

  Each interface does only allow his own IP. But to make this work each
  IP from each interface must be whitelisted. Disabling iptables is also
  no option because we need this kind of protection.

  Is there any chance to configure this in Neutron? Or is there a better
  solution to have multiple IPs with Linux Bridge?

  Regards,
  Alexander

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1635219/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next