tripleo

GRE firewall rule is incorrect

Bug #1644360 reported by Brent Eagles on 2016-11-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Brent Eagles	tripleo ocata-2 "ocata-2"

Bug Description

GRE tenant networks do not work with the current firewall rule.
From https://bugzilla.redhat.com/show_bug.cgi?id=1397964:

controller nodes have following iptables rule for allowing gre tunneling for Neutron:
-A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT

But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP.

The iptables rule shouldn't use -m state and allow all GRE packets.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.1.0-3.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy OSP 10 with director
2. Create GRE tenant network
3. Boot instance on GRE network

Actual results:
Instance won't get IP address because GRE packets on controllers are dropped

Tags:

Brent Eagles (beagles) on 2016-11-23

Changed in tripleo:
status:	New → Confirmed
importance:	Undecided → Critical
assignee:	nobody → Brent Eagles (beagles)

Brent Eagles (beagles) on 2016-11-23

tags:

added: newton-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-23: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/401461

Changed in tripleo:
status:	Confirmed → In Progress

Brent Eagles (beagles) on 2016-11-24

Changed in tripleo:
milestone:	none → ocata-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-25: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/401461
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=688a79c6c68422c0f873074370b1bbc87c6d1007
Submitter: Jenkins
Branch: master

commit 688a79c6c68422c0f873074370b1bbc87c6d1007
Author: Brent Eagles <email address hidden>
Date: Wed Nov 23 18:59:58 2016 -0330

Do not configure state matching when using GRE

    The firewall rule quite reasonably sets up a default state matching rule
    but this is invalid for GRE. This patch conditionally adds the state
    matching if the protocol is not GRE.

Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-25: Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/402709

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-25: Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/402709
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=0626631cf0619110b71ce23b843d431bcc46124e
Submitter: Jenkins
Branch: stable/newton

commit 0626631cf0619110b71ce23b843d431bcc46124e
Author: Brent Eagles <email address hidden>
Date: Wed Nov 23 18:59:58 2016 -0330

Do not configure state matching when using GRE

    The firewall rule quite reasonably sets up a default state matching rule
    but this is invalid for GRE. This patch conditionally adds the state
    matching if the protocol is not GRE.

    Closes-Bug: #1644360
    Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
    (cherry picked from commit 688a79c6c68422c0f873074370b1bbc87c6d1007)