Fuel for OpenStack

In multirack environment its impossible to create 3 nated networks with connectivity to each other

Bug #1578277 reported by Sergey Yudin on 2016-05-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Confirmed	Medium	Fuel QA Team	Fuel for OpenStack 10.0

Bug Description

This set of filter rules being created by 2 nated networks.

-A FORWARD -d 10.0.13.0/24 -o fuelbr18200 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.13.0/24 -i fuelbr18200 -j ACCEPT
-A FORWARD -i fuelbr18200 -o fuelbr18200 -j ACCEPT
-A FORWARD -o fuelbr18200 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i fuelbr18200 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.0.14.0/24 -o fuelbr18201 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.14.0/24 -i fuelbr18201 -j ACCEPT
-A FORWARD -i fuelbr18201 -o fuelbr18201 -j ACCEPT
-A FORWARD -o fuelbr18201 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i fuelbr18201 -j REJECT --reject-with icmp-port-unreachable

In this configuration connectivity from .14.0/24 to 13.0/24 will never work because traffic will be blocked by
-A FORWARD -o fuelbr18200 -j REJECT --reject-with icmp-port-unreachable

e.g. packet from 10.0.14.3 inport fuelbr18201 to 10.0.13.3 outport fuelbr18200 will be rejected.

Tags:

Oleksiy Molchanov (omolchanov) on 2016-05-05

Changed in fuel:
milestone:	none → 10.0
assignee:	nobody → Fuel DevOps (fuel-devops)
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Andrey Nikitin (heos) wrote on 2016-05-05:

Looks like this bug is related to fuel-devops developed by Fuel QA Team.

Changed in fuel:
assignee:	Fuel DevOps (fuel-devops) → Fuel QA Team (fuel-qa)
status:	Confirmed → New

Revision history for this message

Artem Panchenko (apanchenko-8) wrote on 2016-05-05:

It's known limitation, traffic to NATed networks can't be routed, see libvirt docs [0]:

[forward]
[nat]
...
"Inbound connections from other networks are all prohibited; all connections between guests on the same network, and to/from the host to the guests, are unrestricted and not NATed"

If you want to create networks for multirack environment, please use 'route' forward mode. In case you need to provide Internet access via such networks, you should manually add custom iptables rules for SNAT.

[0] https://libvirt.org/formatnetwork.html#elementsMetadata

Changed in fuel:
status:	New → Won't Fix
tags:	added: area-qa

Revision history for this message

Sergey Yudin (tsipa740) wrote on 2016-05-05:

If thats known limitation of libvirt than don't use libvirt or use custom rules.

This prevents us from testing multirack environments with controllers located in different racks.

Sergii Golovatiuk (sgolovatiuk) on 2016-05-06

Changed in fuel:
assignee:	Fuel QA Team (fuel-qa) → Aleksandr Didenko (adidenko)
status:	Won't Fix → Confirmed

Aleksandr Didenko (adidenko) on 2016-05-11

Changed in fuel:
assignee:	Aleksandr Didenko (adidenko) → Fuel QA Team (fuel-qa)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.