yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #90174
[Bug 1995614] [NEW] floating ip portforwarding from external not working
Public bug reported:
We are running neutron victoria 17.4.1. The floating ip port forwarding
extention doesn't seem to work with external traffic.
After debugging it looks like the neutron port forwarding extention
doesn't create a necessary iptables rule responsible for setting the
0x4000000/0xffff0000 mark.
(public ip addresses replaced with *.*.*.)
Reproduction:
`openstack floating ip port forwarding create --internal-ip-address 10.0.0.227 --port dfba05b5-31ba-466b-80d9-79df7e053e7f --internal-protocol-port 80 --external-protocol-port 80 --protocol tcp *.*.*.172`
We see a created dnat rule:
Chain neutron-l3-agent-pf-b6eaee1f (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 *.*.*.172 tcp dpt:80 to:10.0.0.227:80
But there is no rule in the mangle table that sets the required marker
to pass the DROP rule inside the neutron-l3-agent-scope chain.
Speaking for the described suspicion is a functioning port forwarding from the internal network of the vm. Those packets are received by the qr interface of the router before hitting the DROP rule.
This is the mangle rule which seems to work for internal traffic:
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
75895 11M MARK all -- qr-61cfbe6d-89 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x4000000/0xffff0000
If I see this correctly the port forwarding extention needs to create a mangle chain/rule like all other floating ips get, example floating ip chain:
Chain neutron-l3-agent-floatingip (1 references)
pkts bytes target prot opt in out source destination
42728 4400K MARK all -- * * 0.0.0.0/0 *.*.*.89 MARK xset 0x4000000/0xffff0000
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1995614
Title:
floating ip portforwarding from external not working
Status in neutron:
New
Bug description:
We are running neutron victoria 17.4.1. The floating ip port
forwarding extention doesn't seem to work with external traffic.
After debugging it looks like the neutron port forwarding extention
doesn't create a necessary iptables rule responsible for setting the
0x4000000/0xffff0000 mark.
(public ip addresses replaced with *.*.*.)
Reproduction:
`openstack floating ip port forwarding create --internal-ip-address 10.0.0.227 --port dfba05b5-31ba-466b-80d9-79df7e053e7f --internal-protocol-port 80 --external-protocol-port 80 --protocol tcp *.*.*.172`
We see a created dnat rule:
Chain neutron-l3-agent-pf-b6eaee1f (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 *.*.*.172 tcp dpt:80 to:10.0.0.227:80
But there is no rule in the mangle table that sets the required marker
to pass the DROP rule inside the neutron-l3-agent-scope chain.
Speaking for the described suspicion is a functioning port forwarding from the internal network of the vm. Those packets are received by the qr interface of the router before hitting the DROP rule.
This is the mangle rule which seems to work for internal traffic:
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
75895 11M MARK all -- qr-61cfbe6d-89 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x4000000/0xffff0000
If I see this correctly the port forwarding extention needs to create a mangle chain/rule like all other floating ips get, example floating ip chain:
Chain neutron-l3-agent-floatingip (1 references)
pkts bytes target prot opt in out source destination
42728 4400K MARK all -- * * 0.0.0.0/0 *.*.*.89 MARK xset 0x4000000/0xffff0000
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1995614/+subscriptions
