firewall rules on DVR FIP fails to work for ingress traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
=====
my env
=====
controller +network node(dvr_snat) + 2 compute nodes(dvr)
DVR: enable DVR when using devstack to deploy this env
FWaaS: manually git clone neutron-fwaas and to configure, using iptables as driver
====
steps
====
1) create net, subnet, boot VM-1 on CN-1, VM-2 on CN-2, create router, and attach subnet onto router.
2) create external network, set as router gateway net, create 2 floating IPs and associate to two VMs.
3) confirm DVR FIP works: fip ns created, iptable rules updated in qrouter ns, two VMs are pingable by floating IP.
floating IP like: 192.168.0.4 and 192.168.0.5
4) create firewall rules, firewall policy and create firewall on router.
firewall rule like:
fw-r1: ICMP, source: 192.168.
fw-r2: ICMP, source: 192.168.
5) confirm firewall rules updated in qrouter ns.
6) on host who has IP like 192.168.0.190, try to ping floating IPs mentioned in step 3.
expected: floating IPs should be pingable (for IP 192.168.0.190 is in 192.168.0.184/29, and two firewall rules allows)
observed: no response, "100% packet loss" from ping command. floating IP fail to ping.
========
more details
========
-------
firewall iptable rules:
-------
-A INPUT -j neutron-
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-
-A neutron-filter-top -j neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-------
DVR FIP nat iptable rules:
-------
1) for 192.168.0.4:
-A PREROUTING -j neutron-
-A OUTPUT -j neutron-
-A POSTROUTING -j neutron-
-A POSTROUTING -j neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
2) for 192.168.0.5:
-A PREROUTING -j neutron-
-A OUTPUT -j neutron-
-A POSTROUTING -j neutron-
-A POSTROUTING -j neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-------
tcpdump result: (192.168.0.190 ping 192.168.0.4)
-------
1) on fg in fip ns, ingress traffic caught:
fa:16:3e:b3:3e:8c > fa:16:3e:9d:ea:ed, ethertype IPv4 (0x0800), length 98: 192.168.0.190 > 192.168.0.4: ICMP echo request, id 28356, seq 31, length 64
and fg:
40: fg-59c9ce49-3a: <BROADCAST,
link/ether fa:16:3e:9d:ea:ed brd ff:ff:ff:ff:ff:ff
inet 192.168.0.133/24 brd 192.168.0.255 scope global fg-59c9ce49-3a
valid_lft forever preferred_lft forever
inet6 fe80::f816:
valid_lft forever preferred_lft forever
2) on fpr in fip ns, ingress traffic caught:
a2:c4:79:bf:c0:1a > aa:ab:39:2f:ac:df, ethertype IPv4 (0x0800), length 98: 192.168.0.190 > 192.168.0.4: ICMP echo request, id 28356, seq 159, length 64
and fpr:
13: fpr-4bf3186c-d: <BROADCAST,
link/ether a2:c4:79:bf:c0:1a brd ff:ff:ff:ff:ff:ff
inet 169.254.31.143/31 scope global fpr-4bf3186c-d
valid_lft forever preferred_lft forever
inet6 fe80::a0c4:
valid_lft forever preferred_lft forever
and rfp:
10: rfp-4bf3186c-d: <BROADCAST,
link/ether aa:ab:39:2f:ac:df brd ff:ff:ff:ff:ff:ff
inet 169.254.31.142/31 scope global rfp-4bf3186c-d
valid_lft forever preferred_lft forever
inet 192.168.0.4/32 brd 192.168.0.4 scope global rfp-4bf3186c-d
valid_lft forever preferred_lft forever
inet6 fe80::a8ab:
valid_lft forever preferred_lft forever
3) on rfp in qrouter ns, ingress traffic caught:
a2:c4:79:bf:c0:1a > aa:ab:39:2f:ac:df, ethertype IPv4 (0x0800), length 98: 192.168.0.190 > 192.168.0.4: ICMP echo request, id 28356, seq 372, length 64
4) on qr in qrouter ns, no traffic caught :(
========
idea/discuss
========
in my understanding, we have DNAT rules in PREROUTING chain, like:
-A neutron-
will change ingress traffic destination IP from 192.168.
So before firewall rules in FORWARD related chains like:
-A neutron-
-A neutron-
have chance to accept, the ingress traffic has already been changed, and will go to neutron-
an idea is try to move firewall rules into fip ns(but this will raise other potential problems, for firewall rules will no longer be isolated by namespace), I tested this, it can work.
tags: | added: l3-dvr-backlog |
I tested this issue for ingress traffic, not sure whether will happen to egress traffic.