← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1720205] [NEW] neutron does not create the necessary iptables rules for l3 and dhcp agents when linuxbridge used

 

Public bug reported:

Version: pike
openstack-neutron-11.0.0-3.el7

Config: according to https://docs.openstack.org/neutron/pike/install/install-rdo.html
ml2 linuxbridge vxlan

neutron creates rules in neutron-linuxbri-FORWARD chain only for compute
ports but router and dhcp ports have no mention at all. So router and
dhcp traffic remains within host bridge.

Expected:
neutron creates rules like -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged for all agents ports in bridge.


# iptables-save 
# Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
*nat
:PREROUTING ACCEPT [23760:1495817]
:INPUT ACCEPT [22739:1402147]
:OUTPUT ACCEPT [1778:116606]
:POSTROUTING ACCEPT [2260:170214]
COMMIT
# Completed on Thu Sep 28 18:16:57 2017
# Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
*mangle
:PREROUTING ACCEPT [922003:1129881715]
:INPUT ACCEPT [906034:1128976690]
:FORWARD ACCEPT [20488:1851370]
:OUTPUT ACCEPT [774093:3908358570]
:POSTROUTING ACCEPT [793969:3910141934]
COMMIT
# Completed on Thu Sep 28 18:16:57 2017
# Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
*raw
:PREROUTING ACCEPT [922261:1129974352]
:OUTPUT ACCEPT [774348:3908396136]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-PREROUTING - [0:0]
-A PREROUTING -j neutron-linuxbri-PREROUTING
-A OUTPUT -j neutron-linuxbri-OUTPUT
COMMIT
# Completed on Thu Sep 28 18:16:57 2017
# Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27196:421070402]
:neutron-filter-top - [0:0]
:neutron-linuxbri-FORWARD - [0:0]
:neutron-linuxbri-INPUT - [0:0]
:neutron-linuxbri-OUTPUT - [0:0]
:neutron-linuxbri-local - [0:0]
:neutron-linuxbri-sg-chain - [0:0]
:neutron-linuxbri-sg-fallback - [0:0]
-A INPUT -j neutron-linuxbri-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-linuxbri-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-linuxbri-OUTPUT
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-linuxbri-INPUT -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-linuxbri-sg-chain -j ACCEPT
-A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
# Completed on Thu Sep 28 18:16:57 2017

# brctl show
bridge name     bridge id               STP enabled     interfaces
brq76f218a0-55          8000.1a1da1c5730b       no              tap5015bfe4-c5
                                                        tapa6d0f381-b7
                                                        tapb48c914e-20
                                                        vxlan-1006
brq8856ee40-24          8000.921ccb87ce25       no              tap8d487e05-d8
                                                        vxlan-1043

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1720205

Title:
  neutron does not create the necessary iptables rules for l3 and dhcp
  agents when linuxbridge used

Status in neutron:
  New

Bug description:
  Version: pike
  openstack-neutron-11.0.0-3.el7

  Config: according to https://docs.openstack.org/neutron/pike/install/install-rdo.html
  ml2 linuxbridge vxlan

  neutron creates rules in neutron-linuxbri-FORWARD chain only for
  compute ports but router and dhcp ports have no mention at all. So
  router and dhcp traffic remains within host bridge.

  Expected:
  neutron creates rules like -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged for all agents ports in bridge.

  
  # iptables-save 
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *nat
  :PREROUTING ACCEPT [23760:1495817]
  :INPUT ACCEPT [22739:1402147]
  :OUTPUT ACCEPT [1778:116606]
  :POSTROUTING ACCEPT [2260:170214]
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *mangle
  :PREROUTING ACCEPT [922003:1129881715]
  :INPUT ACCEPT [906034:1128976690]
  :FORWARD ACCEPT [20488:1851370]
  :OUTPUT ACCEPT [774093:3908358570]
  :POSTROUTING ACCEPT [793969:3910141934]
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *raw
  :PREROUTING ACCEPT [922261:1129974352]
  :OUTPUT ACCEPT [774348:3908396136]
  :neutron-linuxbri-OUTPUT - [0:0]
  :neutron-linuxbri-PREROUTING - [0:0]
  -A PREROUTING -j neutron-linuxbri-PREROUTING
  -A OUTPUT -j neutron-linuxbri-OUTPUT
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [27196:421070402]
  :neutron-filter-top - [0:0]
  :neutron-linuxbri-FORWARD - [0:0]
  :neutron-linuxbri-INPUT - [0:0]
  :neutron-linuxbri-OUTPUT - [0:0]
  :neutron-linuxbri-local - [0:0]
  :neutron-linuxbri-sg-chain - [0:0]
  :neutron-linuxbri-sg-fallback - [0:0]
  -A INPUT -j neutron-linuxbri-INPUT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  -A INPUT -j REJECT --reject-with icmp-host-prohibited
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-linuxbri-FORWARD
  -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-linuxbri-OUTPUT
  -A neutron-filter-top -j neutron-linuxbri-local
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-INPUT -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-sg-chain -j ACCEPT
  -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017

  # brctl show
  bridge name     bridge id               STP enabled     interfaces
  brq76f218a0-55          8000.1a1da1c5730b       no              tap5015bfe4-c5
                                                          tapa6d0f381-b7
                                                          tapb48c914e-20
                                                          vxlan-1006
  brq8856ee40-24          8000.921ccb87ce25       no              tap8d487e05-d8
                                                          vxlan-1043

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1720205/+subscriptions


Follow ups