← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #69437

[Bug 1635219] Re: Linux Bridge - Multiple Interfaces - Iptables Rules

  Thread PreviousDate PreviousThread Next 
[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1635219

Title:
  Linux Bridge - Multiple Interfaces - Iptables Rules

Status in neutron:
  Expired

Bug description:
  Hello,

  we are trying to have multiple IPv4 and IPv6 addresses on the same
  Nova instance.

  We are using IPv6 SLAAC with an external router so if we want multiple
  IPv6 addresses we need multiple interfaces. We want to configure
  everything using DHCP which also means one IP per interface. So, we
  decided to add a new network interface for each IPv4/IPv6 pair.

  This works very well so far, NetworkManager reacts to hotplug events
  and configures the new interfaces. This also means that we have one
  default route per interface with incrementing metrics, with the first
  interface having the lowest metric (as it should).

  Now, if you send a packet to one of the other interfaces, the response
  packet takes the default route and is blocked by the security group
  which restricts each interface to an IP/MAC pair.

  Neutron creates this following rule for each interface:

  Chain neutron-linuxbri-sdb819e32-1 (1 references)
  pkts bytes target prot opt in out source destination
  0 0 RETURN all -- * * 10.67.1.45 0.0.0.0/0 MAC FA:16:3E:EA:3D:EA /* Allow traffic from defined IP/MAC pairs. */
  0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */

  Is there any chance to configure this with Neutron? Or is there a
  better solution to have multiple IPs with provider networks?

  Dead-ends: (?)

  - we need provider networks, so we cannot use floating IPs
  - we cannot assign IPv6 prefixes since Neutron only supports external routers with RA + SLAAC
  - assigning multiple IPs to one interface would work, but not in combination with DHCP (manual configuration)

  Regards,
  Alexander

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1635219/+subscriptions

References

  Thread PreviousDate PreviousThread Next