yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1720205] Re: neutron does not create the necessary iptables rules for l3 and dhcp agents when linuxbridge used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1720205@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Mar 2018 10:57:17 -0000
Reply-to: Bug 1720205 <1720205@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/525607
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=97b30494a9263db684e5901113b53c25e55d1854
Submitter: Zuul
Branch:    master

commit 97b30494a9263db684e5901113b53c25e55d1854
Author: Sławek Kapłoński <slawek@xxxxxxxxxxxx>
Date:   Tue Dec 5 14:37:50 2017 +0100

    Iptables firewall driver adds forward rules for trusted ports
    
    Iptables firewall driver can now add process trusted ports and
    adds rules for them to FORWARD chain.
    
    Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131
    Closes-Bug: #1720205


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1720205

Title:
  neutron does not create the necessary iptables rules for l3 and dhcp
  agents when linuxbridge used

Status in neutron:
  Fix Released

Bug description:
  Version: pike
  openstack-neutron-11.0.0-3.el7

  Config: according to https://docs.openstack.org/neutron/pike/install/install-rdo.html
  ml2 linuxbridge vxlan

  neutron creates rules in neutron-linuxbri-FORWARD chain only for
  compute ports but router and dhcp ports have no mention at all. So
  router and dhcp traffic remains within host bridge.

  Expected:
  neutron creates rules like -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged for all agents ports in bridge.

  
  # iptables-save 
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *nat
  :PREROUTING ACCEPT [23760:1495817]
  :INPUT ACCEPT [22739:1402147]
  :OUTPUT ACCEPT [1778:116606]
  :POSTROUTING ACCEPT [2260:170214]
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *mangle
  :PREROUTING ACCEPT [922003:1129881715]
  :INPUT ACCEPT [906034:1128976690]
  :FORWARD ACCEPT [20488:1851370]
  :OUTPUT ACCEPT [774093:3908358570]
  :POSTROUTING ACCEPT [793969:3910141934]
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *raw
  :PREROUTING ACCEPT [922261:1129974352]
  :OUTPUT ACCEPT [774348:3908396136]
  :neutron-linuxbri-OUTPUT - [0:0]
  :neutron-linuxbri-PREROUTING - [0:0]
  -A PREROUTING -j neutron-linuxbri-PREROUTING
  -A OUTPUT -j neutron-linuxbri-OUTPUT
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017
  # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [27196:421070402]
  :neutron-filter-top - [0:0]
  :neutron-linuxbri-FORWARD - [0:0]
  :neutron-linuxbri-INPUT - [0:0]
  :neutron-linuxbri-OUTPUT - [0:0]
  :neutron-linuxbri-local - [0:0]
  :neutron-linuxbri-sg-chain - [0:0]
  :neutron-linuxbri-sg-fallback - [0:0]
  -A INPUT -j neutron-linuxbri-INPUT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  -A INPUT -j REJECT --reject-with icmp-host-prohibited
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-linuxbri-FORWARD
  -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-linuxbri-OUTPUT
  -A neutron-filter-top -j neutron-linuxbri-local
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-INPUT -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-linuxbri-sg-chain -j ACCEPT
  -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
  COMMIT
  # Completed on Thu Sep 28 18:16:57 2017

  # brctl show
  bridge name     bridge id               STP enabled     interfaces
  brq76f218a0-55          8000.1a1da1c5730b       no              tap5015bfe4-c5
                                                          tapa6d0f381-b7
                                                          tapb48c914e-20
                                                          vxlan-1006
  brq8856ee40-24          8000.921ccb87ce25       no              tap8d487e05-d8
                                                          vxlan-1043

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1720205/+subscriptions

References

[Bug 1720205] [NEW] neutron does not create the necessary iptables rules for l3 and dhcp agents when linuxbridge used
From: Nikita Gerasimov, 2017-09-28