GRE firewall rule is incorrect
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tripleo |
Fix Released
|
High
|
Brent Eagles | ||
Bug Description
GRE tenant networks do not work with the current firewall rule.
From https:/
controller nodes have following iptables rule for allowing gre tunneling for Neutron:
-A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT
But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP.
The iptables rule shouldn't use -m state and allow all GRE packets.
Version-Release number of selected component (if applicable):
openstack-
How reproducible:
Always
Steps to Reproduce:
1. Deploy OSP 10 with director
2. Create GRE tenant network
3. Boot instance on GRE network
Actual results:
Instance won't get IP address because GRE packets on controllers are dropped
| Brent Eagles (beagles) wrote | #1 |
| Changed in tripleo: | |
| status: | New → Fix Committed |
| importance: | Undecided → High |
| assignee: | nobody → Brent Eagles (beagles) |
| milestone: | none → ocata-3 |
| Changed in tripleo: | |
| status: | Fix Committed → Fix Released |
This was fixed by https:/