← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1795432] [NEW] neutron does not create the necessary iptables rules for dhcp agents when linuxbridge is used

 

Public bug reported:

Reproduction:
 Create a enviroment with controller and compute in different hosts:
  controller:
  [root@controller1 ~]# brctl show 
bridge name	bridge id		STP enabled	interfaces
brq37841a31-d7		8000.0a7e069299a3	no		tap80087b5b-33
							tap94526e09-2c
							vxlan-46
brqbab8fb94-c8		8000.1275449f51ef	no		eth3
							tap4baecbed-83
							tap8924b588-55
[root@controller1 ~]# ip netns
qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)

 Compute host:

[root@compute1 ~]# brctl show 
bridge name	bridge id		STP enabled	interfaces
brq37841a31-d7		8000.5e530dd5073b	no		tap171ccdb9-66
							vxlan-46
brqbab8fb94-c8		8000.525400fec4c7	no		eth3
							tap80b3e489-a6
							tapfec914c0-0e
virbr0		8000.525400ed85d9	yes		virbr0-nic
[root@compute1 ~]# virsh list 
 Id    Name                           State
----------------------------------------------------
 28    instance-0000002f              running
 39    instance-00000044              running
 41    instance-00000047              running


Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller:

Iptables:

-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT

interfaces:

[root@controller1 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff
28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff
30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff
32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
    link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff
34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff
35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
    link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2
36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2

Only rules for the tap ports.

It is necessary add rules to permit dhcp traffic between hosts, for
example permit dhcp ports as dev-in:

-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT


This bug is other scenario of bug:

https://bugs.launchpad.net/neutron/+bug/1720205

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: linuxbridge

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1795432

Title:
  neutron does not create the necessary iptables rules for dhcp agents
  when linuxbridge is used

Status in neutron:
  New

Bug description:
  Reproduction:
   Create a enviroment with controller and compute in different hosts:
    controller:
    [root@controller1 ~]# brctl show 
  bridge name	bridge id		STP enabled	interfaces
  brq37841a31-d7		8000.0a7e069299a3	no		tap80087b5b-33
  							tap94526e09-2c
  							vxlan-46
  brqbab8fb94-c8		8000.1275449f51ef	no		eth3
  							tap4baecbed-83
  							tap8924b588-55
  [root@controller1 ~]# ip netns
  qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
  qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
  qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)

   Compute host:

  [root@compute1 ~]# brctl show 
  bridge name	bridge id		STP enabled	interfaces
  brq37841a31-d7		8000.5e530dd5073b	no		tap171ccdb9-66
  							vxlan-46
  brqbab8fb94-c8		8000.525400fec4c7	no		eth3
  							tap80b3e489-a6
  							tapfec914c0-0e
  virbr0		8000.525400ed85d9	yes		virbr0-nic
  [root@compute1 ~]# virsh list 
   Id    Name                           State
  ----------------------------------------------------
   28    instance-0000002f              running
   39    instance-00000044              running
   41    instance-00000047              running

  
  Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller:

  Iptables:

  -A neutron-filter-top -j neutron-linuxbri-local
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT

  interfaces:

  [root@controller1 ~]# ip link
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
      link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff
  3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
      link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff
  4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
      link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff
  28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
      link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff
  30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
      link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
  31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff
  32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
      link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
  33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000
      link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff
  34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff
  35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
      link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2
  36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
      link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2

  Only rules for the tap ports.

  It is necessary add rules to permit dhcp traffic between hosts, for
  example permit dhcp ports as dev-in:

  -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
  -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT

  
  This bug is other scenario of bug:

  https://bugs.launchpad.net/neutron/+bug/1720205

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1795432/+subscriptions


Follow ups