Pinging a floating ip from an instance without floating can fail

Bug #1122335 reported by Vish Ishaya
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Vish Ishaya

Bug Description

This is a fairly complicated networking problem that can happen when using an external gateway with fixed and floating ips on different interfaces that have no natting in between.

Basically it works as follows:

If you ping an a floating ip from an instance with only a fixed ip, the traffic will be sent to the default gateway. If the default gateway has a route to the floating ip, it will then be sent to the host of the instance with the floating ip. Unfortunately the source address will be on the fixed network which will cause the receiving host to drop the packet due to rp_filter. Essentially, the route for the fixed range is on a different interface so it the kernel assumes the packet is spoofed and drops it.

In order for this scenario to work properly, it is necessary to snat packets on the source host that are going to the floating range.

Changed in nova:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21689

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/21689
Committed: http://github.com/openstack/nova/commit/d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8
Submitter: Jenkins
Branch: master

commit d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Feb 11 12:08:35 2013 -0800

    Allow fixed to float ping with external gateway.

    If you ping an a floating ip from an instance with only a fixed ip, the
    traffic will be sent to the default gateway. If the default gateway has
    a route to the floating ip, it will then be sent to the host of the
    instance with the floating ip. The source address will be on the fixed
    network, so if the floating addresses are on a different network, the
    receiving host to drop the packet due to the default rp_filter.
    Essentially, the route for the fixed range is on a different interface
    so it the kernel assumes the packet is spoofed and drops it.

    In order to fix this issue this patch adds a new config option called
    force_snat_range. Traffic that originates in fixed_range and has a
    destination in force_snat_range will always be routed. This forces
    the packet to hit the fallback floating roule and be snatted to
    routing_source_ip. This means the traffic will originate from the
    proper network and the packet will make it through.

    DocImpact

    Fixes bug 1122335

    Change-Id: I7e31c25d37a5c4fd02c8238aec58a28af3fd7f6a

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.