yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1774341] [NEW] dvr fip doesn't work on centos 7.5

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: ByungYeol Woo <wby1089@xxxxxxxxx>
Date: Thu, 31 May 2018 06:51:49 -0000
Reply-to: Bug 1774341 <1774341@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Fip in dvr mode worked well on centos 7.4.
But I found fip in dvr mode on centos 7.5 didn't work.

If a router is centralized mode, fip works well although on centos 7.5.
But if a router is distributed mode, fip didn't work.

I found packets from outside was pass through from fip namespace to
qrouter namespace on compute node, and packets were found in rfp
interface, but not found in qr interface. I thnink probably iptables
doesn't perform DNAT.


==== Kernel parameters
# sysctl -p
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.ip_forward = 1

==== iptables of qrouter namespace (Fixed IP: 192.168.101.16, Floating-IP: 222.222.222.222)
# ip netns exec qrouter-1a76dc2f-9c5d-43b6-9c58-e8d09d36ddde iptables -nL -t nat
(ommitted)
Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination
DNAT       all  --  0.0.0.0/0            222.222.222.222        to:192.168.101.16
REDIRECT   tcp  --  0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  192.168.101.16       0.0.0.0/0            to:222.222.222.222
(ommitted)

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1774341

Title:
  dvr fip doesn't work on centos 7.5

Status in neutron:
  New

Bug description:
  Fip in dvr mode worked well on centos 7.4.
  But I found fip in dvr mode on centos 7.5 didn't work.

  If a router is centralized mode, fip works well although on centos 7.5.
  But if a router is distributed mode, fip didn't work.

  I found packets from outside was pass through from fip namespace to
  qrouter namespace on compute node, and packets were found in rfp
  interface, but not found in qr interface. I thnink probably iptables
  doesn't perform DNAT.

  
  ==== Kernel parameters
  # sysctl -p
  net.bridge.bridge-nf-call-iptables = 1
  net.bridge.bridge-nf-call-ip6tables = 1
  net.ipv4.conf.all.rp_filter = 0
  net.ipv4.conf.default.rp_filter = 0
  net.ipv4.ip_forward = 1

  ==== iptables of qrouter namespace (Fixed IP: 192.168.101.16, Floating-IP: 222.222.222.222)
  # ip netns exec qrouter-1a76dc2f-9c5d-43b6-9c58-e8d09d36ddde iptables -nL -t nat
  (ommitted)
  Chain neutron-l3-agent-PREROUTING (1 references)
  target     prot opt source               destination
  DNAT       all  --  0.0.0.0/0            222.222.222.222        to:192.168.101.16
  REDIRECT   tcp  --  0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

  Chain neutron-l3-agent-float-snat (1 references)
  target     prot opt source               destination
  SNAT       all  --  192.168.101.16       0.0.0.0/0            to:222.222.222.222
  (ommitted)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1774341/+subscriptions

Follow ups

[Bug 1774341] Re: dvr fip doesn't work on centos 7.5
From: Brian Haley, 2018-05-31