neutron

instance binded floating ip cannot ping external gateway, bug i can ping the other pc in external network

Bug #1490984 reported by greatbsky
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Unassigned

Bug Description

instance(192.168.100.0/24) binded floating ip cannot ping external gateway(192.168.1.1), if I disassociate floating ip I can ping the gateway(192.168.1.1).

I deploy openstack all in one physical compute following the guide: http://docs.openstack.org/kilo/install-guide/install/yum/content/ch_networking.html

nova install in compute1 and compute1 as the hypervisor.
[root@compute1 ~]# virsh list
 Id Name State
----------------------------------------------------
 5 IaaS_openstack_controller_centos7.0 running
 6 IaaS_openstack_network_centos7.0 running
 7 IaaS_openstack_block1_centos7.0 running
 38 instance-0000000f running
 39 instance-0000000e running

neutron has been installed in IaaS_openstack_network_centos7.0

------------------init the neutron network:
[root@controller keystone]# neutron net-create ext-net --router:external --provider:physical_network external --provider:network_type flat
[root@controller keystone]# neutron subnet-create ext-net 192.168.1.0/24 --name ext-subnet --allocation-pool start=192.168.1.240,end=192.168.1.250 --disable-dhcp --gateway 192.168.1.1
[root@controller keystone]# neutron net-create demo-net
[root@controller keystone]# neutron subnet-create demo-net 192.168.100.0/24 --name demo-subnet --gateway 192.168.100.1
[root@controller keystone]# neutron router-create demo-router
[root@controller keystone]# neutron router-interface-add demo-router demo-subnetc
[root@controller keystone]# neutron router-gateway-set demo-router ext-net

------------------@network
[root@network ~]# neutron agent-list
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
| 0923f4c3-8f0a-4468-b239-011117942c32 | L3 agent | compute1 | xxx | True | neutron-l3-agent |
| 1ce168ed-4d96-4c41-8bbd-6a9da22b3d24 | DHCP agent | controller | xxx | True | neutron-dhcp-agent |
| 276d38c8-d2b7-4799-b1ee-849738a1dd44 | Metadata agent | compute1 | xxx | True | neutron-metadata-agent |
| 565ed14a-bfde-4258-9df3-9a7819394410 | Metadata agent | network | :-) | True | neutron-metadata-agent |
| a8cfbb25-7323-4e6a-b29f-8c16c0e6e5ef | DHCP agent | compute1 | xxx | True | neutron-dhcp-agent |
| bd81321b-888c-42ca-bf40-fe921f19a23c | DHCP agent | network | :-) | True | neutron-dhcp-agent |
| c7313ecd-0715-4a62-9b4c-19f1c4f364fc | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent |
| cdf31fd6-143d-4104-8b75-e378da2b11fd | L3 agent | network | :-) | True | neutron-l3-agent |
| ee2821f0-57f7-4cb0-85d4-a34a203ddb57 | Metadata agent | controller | xxx | True | neutron-metadata-agent |
| f47e9e85-b7ee-4dcf-979a-7353c1e5b4b5 | Open vSwitch agent | network | :-) | True | neutron-openvswitch-agent |
+--------------------------------------+--------------------+------------+-------+----------------+---------------------------+
[root@network ~]# ip netns list
qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870
qdhcp-c2ba1db5-1ce2-4e35-8ac5-31691b930156
[root@network ~]# ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
10: qr-346be01a-09: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:f8:d1:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global qr-346be01a-09
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fef8:d1e7/64 scope link
       valid_lft forever preferred_lft forever
11: qg-46e0fef7-b7: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:4a:87:c3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.240/24 brd 192.168.1.255 scope global qg-46e0fef7-b7
       valid_lft forever preferred_lft forever
    inet 192.168.1.244/32 brd 192.168.1.244 scope global qg-46e0fef7-b7
       valid_lft forever preferred_lft forever
    inet 192.168.1.242/32 brd 192.168.1.242 scope global qg-46e0fef7-b7
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe4a:87c3/64 scope link
       valid_lft forever preferred_lft forever
[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 qg-46e0fef7-b7
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-46e0fef7-b7
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-346be01a-09

[root@network ~]# ip netns exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-OUTPUT -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-OUTPUT -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-POSTROUTING ! -i qg-46e0fef7-b7 ! -o qg-46e0fef7-b7 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.168.1.244/32 -j DNAT --to-destination 192.168.100.12
-A neutron-l3-agent-PREROUTING -d 192.168.1.242/32 -j DNAT --to-destination 192.168.100.13
-A neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.244
-A neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-46e0fef7-b7 -j SNAT --to-source 192.168.1.240
-A neutron-l3-agent-snat -m mark ! --mark 0x2 -m conntrack --ctstate DNAT -j SNAT --to-source 192.168.1.240
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

------------------------------------Qst:

If I associate floating ip to instances(192.168.100.0/24), I cannot ping the external gateway(192.168.1.1) in intances, but I can ping the other pc(192.168.1.99) in the external network. and I can ping the floating ip(192.168.1.242) from external network(192.168.1.88).

I cannot ping the gateway, but if I remove the neutron-l3-agent-float-snat rule, I can ping it:
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.242

I found the iptables rule changed when I reassociate floating ip.

the question is why?
why I must remove the neutron-l3-agent-float-snat rule? I didn't find where's problem...

thank you!

Revision history for this message
Hong Hui Xiao (xiaohhui) wrote :

Don't know what's the problem in your env. But in my env, Vm with floatingip can ping gateway.

[root@xhh157 images]# ip netns exec qrouter-2bf026d1-8b3f-4e39-9020-3f1827af2ae0 bash
[root@xhh157 images]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
34: ha-9f7b947d-76: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:35:0a:09 brd ff:ff:ff:ff:ff:ff
    inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-9f7b947d-76
       valid_lft forever preferred_lft forever
    inet 169.254.0.1/24 scope global ha-9f7b947d-76
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe35:a09/64 scope link
       valid_lft forever preferred_lft forever
35: qg-af992b33-62: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:4c:d7:47 brd ff:ff:ff:ff:ff:ff
    inet 10.11.2.100/22 scope global qg-af992b33-62
       valid_lft forever preferred_lft forever
    inet 10.11.2.101/32 scope global qg-af992b33-62
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe4c:d747/64 scope link
       valid_lft forever preferred_lft forever
37: qr-aedbad3a-a4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:7f:4f:ae brd ff:ff:ff:ff:ff:ff
    inet 100.0.0.1/24 scope global qr-aedbad3a-a4
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe7f:4fae/64 scope link
       valid_lft forever preferred_lft forever

[root@xhh157 images]# ssh cirros@100.0.0.7
The authenticity of host '100.0.0.7 (100.0.0.7)' can't be established.
RSA key fingerprint is 0b:e4:ec:4e:bb:f5:06:96:94:c5:08:08:6b:3c:8b:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '100.0.0.7' (RSA) to the list of known hosts.
cirros@100.0.0.7's password:
$ ping 10.11.2.100
PING 10.11.2.100 (10.11.2.100): 56 data bytes
64 bytes from 10.11.2.100: seq=0 ttl=64 time=4.606 ms
64 bytes from 10.11.2.100: seq=1 ttl=64 time=2.548 ms
64 bytes from 10.11.2.100: seq=2 ttl=64 time=2.552 ms
64 bytes from 10.11.2.100: seq=3 ttl=64 time=1.942 ms
64 bytes from 10.11.2.100: seq=4 ttl=64 time=7.961 ms

Revision history for this message
greatbsky (greatbsky) wrote :

if I remove the neutron-l3-agent-float-snat rule, I can ping gateway:
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.13/32 -j SNAT --to-source 192.168.1.242
ip net exec qrouter-f40f72af-a964-4fc4-9d6e-2912d3666870 iptables -t nat -D neutron-l3-agent-float-snat -s 192.168.100.12/32 -j SNAT --to-source 192.168.1.242

but why?

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status: New → Incomplete
Revision history for this message
greatbsky (greatbsky) wrote :

mitaka has no problems, so fixed

Changed in neutron:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.