when a port have multiple IP addresses the port cannot communicate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Critical
|
Anton Frolov | ||
Grizzly |
Fix Released
|
Critical
|
Gary Kotton |
Bug Description
When a port have multiple IP addresses, iptables security group implementation drops all the packets from the port. As a result the port cannot communicate.
The following rules is the cause. All IP packets match one of them and are dropped.
0 0 DROP all -- * * !10.0.0.10 0.0.0.0/0
0 0 DROP all -- * * !10.0.0.3 0.0.0.0/0
We need to change the rule to accept packet with one of the addresses.
However, iptables rule does not support AND condition with ! (not) operator,
so we seem to need another chain to check multiple IP addresses. Hmm....
ubuntu@
+------
| ID | Name | Status | Task State | Power State | Networks |
+------
| bfd3cbc9-
+------
ubuntu@
+------
| Field | Value |
+------
| admin_state_up | True |
| device_id | bfd3cbc9-
| device_owner | compute:None |
| fixed_ips | {"subnet_id": "df0395d8-
| | {"subnet_id": "df0395d8-
| id | 3d6b255d-
| mac_address | fa:16:3e:6c:a3:8c |
| name | |
| network_id | 370c8404-
| security_groups | 69de8500-
| status | ACTIVE |
| tenant_id | 86d9d4a34eb5453
+------
Chain quantum-
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! FA:16:3E:6C:A3:8C
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 DROP all -- * * !10.0.0.10 0.0.0.0/0
0 0 DROP all -- * * !10.0.0.3 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 quantum-
Changed in quantum: | |
status: | New → Triaged |
importance: | Undecided → Critical |
tags: | added: grizzly-backport-potential |
Changed in quantum: | |
milestone: | none → havana-2 |
tags: | removed: grizzly-backport-potential |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
tags: | removed: in-stable-grizzly |
Changed in neutron: | |
milestone: | havana-2 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/33091
Review: https:/