yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75012
[Bug 1795432] [NEW] neutron does not create the necessary iptables rules for dhcp agents when linuxbridge is used
Public bug reported:
Reproduction:
Create a enviroment with controller and compute in different hosts:
controller:
[root@controller1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.0a7e069299a3 no tap80087b5b-33
tap94526e09-2c
vxlan-46
brqbab8fb94-c8 8000.1275449f51ef no eth3
tap4baecbed-83
tap8924b588-55
[root@controller1 ~]# ip netns
qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)
Compute host:
[root@compute1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.5e530dd5073b no tap171ccdb9-66
vxlan-46
brqbab8fb94-c8 8000.525400fec4c7 no eth3
tap80b3e489-a6
tapfec914c0-0e
virbr0 8000.525400ed85d9 yes virbr0-nic
[root@compute1 ~]# virsh list
Id Name State
----------------------------------------------------
28 instance-0000002f running
39 instance-00000044 running
41 instance-00000047 running
Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller:
Iptables:
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
interfaces:
[root@controller1 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff
28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff
30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff
32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff
34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff
35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2
36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2
Only rules for the tap ports.
It is necessary add rules to permit dhcp traffic between hosts, for
example permit dhcp ports as dev-in:
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
This bug is other scenario of bug:
https://bugs.launchpad.net/neutron/+bug/1720205
** Affects: neutron
Importance: Undecided
Status: New
** Tags: linuxbridge
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1795432
Title:
neutron does not create the necessary iptables rules for dhcp agents
when linuxbridge is used
Status in neutron:
New
Bug description:
Reproduction:
Create a enviroment with controller and compute in different hosts:
controller:
[root@controller1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.0a7e069299a3 no tap80087b5b-33
tap94526e09-2c
vxlan-46
brqbab8fb94-c8 8000.1275449f51ef no eth3
tap4baecbed-83
tap8924b588-55
[root@controller1 ~]# ip netns
qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)
Compute host:
[root@compute1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.5e530dd5073b no tap171ccdb9-66
vxlan-46
brqbab8fb94-c8 8000.525400fec4c7 no eth3
tap80b3e489-a6
tapfec914c0-0e
virbr0 8000.525400ed85d9 yes virbr0-nic
[root@compute1 ~]# virsh list
Id Name State
----------------------------------------------------
28 instance-0000002f running
39 instance-00000044 running
41 instance-00000047 running
Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller:
Iptables:
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
interfaces:
[root@controller1 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff
28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff
30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff
32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff
34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff
35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2
36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2
Only rules for the tap ports.
It is necessary add rules to permit dhcp traffic between hosts, for
example permit dhcp ports as dev-in:
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
This bug is other scenario of bug:
https://bugs.launchpad.net/neutron/+bug/1720205
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1795432/+subscriptions
Follow ups