with software simple gateway and default security group ping on floating IP is working only on local compute node

Bug #1736972 reported by Sorin Toderica on 2017-12-07
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
High
Hari Prasad Killi
R4.0
Won't Fix
High
Nagendra E S
R4.1
Fix Committed
Undecided
Nagendra E S
R5.0
Fix Committed
Undecided
Nagendra E S
Trunk
Fix Committed
Undecided
Nagendra E S

Bug Description

I'm using OpenContrail 3.2.6.0 and Openstack 2.3.1 (Mitaka).
The problem is also reproducing with 3.2.8.0 and Openstack Newton.

 I have a default setup with 2 compute nodes, and install a software simple gateway on one compute node. I also have only the default security group and two VMs created in one virtual network. Also have a public network for floating IP. Each VM is distributed on different compute nodes and each VM uses its own floating IP.
I'm able to ping only the IP of the VM that is running on the compute node where the vgw was installed.
The ping of floating IP for the second VM will be discarded on second compute node due to "Flow Action Drop" reason of dropstats command.

One flow is present from that ping between a PC and the VM, but the action of the flow is D(SG) - discard due security group.

We have a work around for this bug. Going in the security group and change the IPV4 Ingress rule - which has "default" set as Address (the default security group)and we change this with 0.0.0.0/0 and the ping starts to work.

Sorin Toderica (stoderica) wrote :

Seems that with default security group rules the normal behavior is that ping to floating IPs will not work. New rules need to be added to enable this (for public subnet) or to change the "default" with 0.0.0.0/0 in default security group IPV4 ingress rule.
So the bug is in fact about FIP's are pinged by default for VMs running on vgw compute node.

Also the security group and FIP will not work correctly on at all on that particular compute node.

Review in progress for https://review.opencontrail.org/38460
Submitter: Sorin Toderica (<email address hidden>)

Reviewed: https://review.opencontrail.org/38460
Committed: http://github.com/Juniper/contrail-controller/commit/a4071328fbbf96f2974ee847aa8b108a910a027e
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit a4071328fbbf96f2974ee847aa8b108a910a027e
Author: Sorin Toderica <email address hidden>
Date: Tue Dec 19 09:01:49 2017 -0500

If I install a software simple gateway (vgw) on a compute node and create in one virtual network 2 virtual machines, each of them with default security group and attach a floating IP to each of those 2 VMs I can ping by default the VM which runs on the compute node where the vgw was installed but cannot ping the VM which is runing on the second compute node.
The normal behavior should be that by default (as long as in the security default rule the ingress rule uses the default security group as "Address" instead of 0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the vgw interface - which is an interface of type INET and sub-type SIMPLE_GATEWAY. After these changes the security group rules will be respected for floating IPs on both compute nodes.

Change-Id: If8d43bfb7c580e47445054f97380bd3c4df7a0ea
Closes-Bug: #1736972

Jeba Paulaiyan (jebap) on 2018-03-13
tags: added: vrouter
tags: added: contrail-control
removed: vrouter
Sachin Bansal (sbansal) on 2018-03-19
Changed in opencontrail:
assignee: nobody → Hari Prasad Killi (haripk)
Nagendra E S (esnagendra) wrote :

needs commit from r3.2 to other branches.

Changed in opencontrail:
assignee: Hari Prasad Killi (haripk) → Nagendra E S (esnagendra)

Review in progress for https://review.opencontrail.org/44838
Submitter: Nagendra E S (<email address hidden>)

Reviewed: https://review.opencontrail.org/44838
Committed: http://github.com/Juniper/contrail-controller/commit/9cec5ddfbf58ea4d13b0648bed3763575ad48574
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 9cec5ddfbf58ea4d13b0648bed3763575ad48574
Author: Nagendra E S <email address hidden>
Date: Fri Jul 6 10:44:17 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: If05f3b61471a95f6b123be7f86ff2cdbb9d011eb
Partial-Bug: #1736972

Review in progress for https://review.opencontrail.org/44884
Submitter: Nagendra E S (<email address hidden>)

Reviewed: https://review.opencontrail.org/44884
Committed: http://github.com/Juniper/contrail-controller/commit/108c0419335556cfbf531ea5f4a0ef9f49dc78e5
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 108c0419335556cfbf531ea5f4a0ef9f49dc78e5
Author: Nagendra E S <email address hidden>
Date: Fri Jul 6 10:44:17 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: If05f3b61471a95f6b123be7f86ff2cdbb9d011eb
Partial-Bug: #1736972
(cherry picked from commit 9cec5ddfbf58ea4d13b0648bed3763575ad48574)

Review in progress for https://review.opencontrail.org/45521
Submitter: Nagendra E S (<email address hidden>)

Changed in opencontrail:
status: New → Won't Fix
no longer affects: opencontrail

Reviewed: https://review.opencontrail.org/45521
Committed: http://github.com/Juniper/contrail-controller/commit/f32b4d5b78c00f323b240126f8f9487408476f1e
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit f32b4d5b78c00f323b240126f8f9487408476f1e
Author: Nagendra E S <email address hidden>
Date: Fri Aug 3 18:46:37 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: I417897106f2bad039f74826200bb8c877c89b1a7
Partial-Bug: #1736972

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers