neutron

neutron does not create the necessary iptables rules for dhcp agents when linuxbridge is used

Bug #1795432 reported by Candido Campos Rivas
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Rodolfo Alonso

Bug Description

Reproduction:
 Create a enviroment with controller and compute in different hosts:
  controller:
  [root@controller1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.0a7e069299a3 no tap80087b5b-33
       tap94526e09-2c
       vxlan-46
brqbab8fb94-c8 8000.1275449f51ef no eth3
       tap4baecbed-83
       tap8924b588-55
[root@controller1 ~]# ip netns
qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)

 Compute host:

[root@compute1 ~]# brctl show
bridge name bridge id STP enabled interfaces
brq37841a31-d7 8000.5e530dd5073b no tap171ccdb9-66
       vxlan-46
brqbab8fb94-c8 8000.525400fec4c7 no eth3
       tap80b3e489-a6
       tapfec914c0-0e
virbr0 8000.525400ed85d9 yes virbr0-nic
[root@compute1 ~]# virsh list
 Id Name State
----------------------------------------------------
 28 instance-0000002f running
 39 instance-00000044 running
 41 instance-00000047 running

Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller:

Iptables:

-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT

interfaces:

[root@controller1 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff
28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff
30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff
32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
    link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1
33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff
34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff
35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000
    link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2
36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000
    link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2

Only rules for the tap ports.

It is necessary add rules to permit dhcp traffic between hosts, for example permit dhcp ports as dev-in:

-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT

This bug is other scenario of bug:

https://bugs.launchpad.net/neutron/+bug/1720205

Tags: linuxbridge
Slawek Kaplonski (slaweq)
tags: added: linuxbridge
Revision history for this message
Nate Johnston (nate-johnston) wrote :

What kernel version are you running when this happens?

Revision history for this message
Candido Campos Rivas (ccamposr) wrote :

I am using this versions in my test bed:

OpenStack Queens
[root@controller1 ~]# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
[root@controller1 ~]# uname -a
Linux controller1 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hi Candido:

Can you check what version of Neutron are you using? This problem should have been solved in [1]. Can you check your Neutron code has this patch?

[1] https://review.openstack.org/#/c/525607/

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hi Candido:

I think I missed the commit. I'll ping you in IRC tomorrow but can you review [1]? This patch adds egress and ingress forward rules for trusted ports.

Another question: you are talking about VMs and DHCP netspaces being in different hosts, but if I'm not wrong, tap4baecbed-83 and tap80087b5b-33 are in the controller, the same as the DHCP netspace.

[1] https://review.openstack.org/#/c/560075/

Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
Candido Campos Rivas (ccamposr) wrote :

After checking it with Rodolfo help, I can check that it is fixed in the lass queens(13) version.
The fix that solve this issue is:

https://review.openstack.org/#/c/568907/1

Changed in neutron:
status: New → Fix Released
Revision history for this message
Miguel Lavalle (minsel) wrote : Re: [Bug 1795432] Re: neutron does not create the necessary iptables rules for dhcp agents when linuxbridge is used
Download full text (6.4 KiB)

Thanks for the update! :-)

On Tue, Nov 20, 2018 at 3:01 AM Candido Campos Rivas <
<email address hidden>> wrote:

> After checking it with Rodolfo help, I can check that it is fixed in the
> lass queens(13) version.
> The fix that solve this issue is:
>
> https://review.openstack.org/#/c/568907/1
>
> ** Changed in: neutron
> Status: New => Fix Released
>
> --
> You received this bug notification because you are subscribed to
> neutron.
> Matching subscriptions: Neutron bugs
> https://bugs.launchpad.net/bugs/1795432
>
> Title:
> neutron does not create the necessary iptables rules for dhcp agents
> when linuxbridge is used
>
> Status in neutron:
> Fix Released
>
> Bug description:
> Reproduction:
> Create a enviroment with controller and compute in different hosts:
> controller:
> [root@controller1 ~]# brctl show
> bridge name bridge id STP enabled interfaces
> brq37841a31-d7 8000.0a7e069299a3 no
> tap80087b5b-33
> tap94526e09-2c
> vxlan-46
> brqbab8fb94-c8 8000.1275449f51ef no
> eth3
> tap4baecbed-83
> tap8924b588-55
> [root@controller1 ~]# ip netns
> qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2)
> qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1)
> qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0)
>
> Compute host:
>
> [root@compute1 ~]# brctl show
> bridge name bridge id STP enabled interfaces
> brq37841a31-d7 8000.5e530dd5073b no
> tap171ccdb9-66
> vxlan-46
> brqbab8fb94-c8 8000.525400fec4c7 no
> eth3
> tap80b3e489-a6
> tapfec914c0-0e
> virbr0 8000.525400ed85d9 yes virbr0-nic
> [root@compute1 ~]# virsh list
> Id Name State
> ----------------------------------------------------
> 28 instance-0000002f running
> 39 instance-00000044 running
> 41 instance-00000047 running
>
>
> Then when dhcp namespace and vms are in different hosts, dhcp traffic(in
> provider and selfservice network mode) is dropped in the controller bridge.
> Because no rule for permiting that the dhcp reply goes out of the
> controller:
>
> Iptables:
>
> -A neutron-filter-top -j neutron-linuxbri-local
> -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83
> --physdev-is-bridged -m comment --comment "Accept all packets when port is
> trusted." -j ACCEPT
> -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33
> --physdev-is-bridged -m comment --comment "Accept all packets when port is
> trusted." -j ACCEPT
> -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c
> --physdev-is-bridged -m comment --comment "Accept all packets wh...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.