Juniper Openstack

R4.1 Gwless forwarding: Without explicit policy , ping to compute node ip (ip fabric) is successful

  1. Series trunk
  2. Bug #1799130
Bug #1799130 reported by Ankit Jain
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
New
High
Pranavadatta DN
R5.0
New
High
Sivakumar Ganapathy
Trunk
New
High
Pranavadatta DN
Juniper Openstack r5.1.0

Bug Description

This bug is same as https://bugs.launchpad.net/juniperopenstack/+bug/1716837

This scenario is applicable only for local VM ( i.e. VM is spawned on the same compute node)

Bug :

Without policy, VMs is in different flat VNs should not communicate each other when IP Fabric VN as configured as provider network for VNs

Build
------
R4.1.0.0 Build 42 Ubuntu 14.04.5 Mitaka

Steps
Configure Flat subnet IPAM, where IPAM belongs to IP Fabric network
Configure 2 VNs (VN1, VN2) with above Flat subnet IPAM
Configure IP Fabric VN as provider entwork for these VNs
Now, with out policy between these VNs, VMs in VN1 is able to reach VMs in VN2. This is incorrect.

Please see the log below:

root@nodek11:~# contrail-version
Package Version Build-ID | Repo | Package Name
-------------------------------------- ------------------------------ ----------------------------------
contrail-lib 4.1.0.0-42 42
contrail-nodemgr 4.1.0.0-42 42
contrail-setup 4.1.0.0-42 42
contrail-utils 4.1.0.0-42 42
contrail-vrouter-agent 4.1.0.0-42 42
contrail-vrouter-common 4.1.0.0-42 42
contrail-vrouter-dkms 4.1.0.0-42 42
contrail-vrouter-init 4.1.0.0-42 42
contrail-vrouter-utils 4.1.0.0-42 42
nova-common 2:13.0.0-0ubuntu2~cloud0.1contrail1 42
nova-compute 2:13.0.0-0ubuntu2~cloud0.1contrail1 42
nova-compute-kvm 2:13.0.0-0ubuntu2~cloud0.1contrail1 42
nova-compute-libvirt 2:13.0.0-0ubuntu2~cloud0.1contrail1 42
python-contrail 4.1.0.0-42 42
python-contrail-vrouter-api 4.1.0.0-42 42
python-neutronclient 1:4.1.1-2~cloud0.2contrail 42
python-nova 2:13.0.0-0ubuntu2~cloud0.1contrail1 42
python-opencontrail-vrouter-netns 4.1.0.0-42 42
root@nodek11:~# vif --list
Vrouter Interface Table

Flags: P=Policy, X=Cross Connect, S=Service Chain, Mr=Receive Mirror
       Mt=Transmit Mirror, Tc=Transmit Checksum Offload, L3=Layer 3, L2=Layer 2
       D=DHCP, Vp=Vhost Physical, Pr=Promiscuous, Vnt=Native Vlan Tagged
       Mnp=No MAC Proxy, Dpdk=DPDK PMD Interface, Rfl=Receive Filtering Offload, Mon=Interface is Monitored
       Uuf=Unknown Unicast Flood, Vof=VLAN insert/strip offload, Df=Drop New Flows, L=MAC Learning Enabled
       Proxy=MAC Requests Proxied Always, Er=Etree Root

vif0/0 OS: em1 (Speed 1000, Duplex 1)
            Type:Physical HWaddr:0c:c4:7a:32:0a:88 IPaddr:0.0.0.0
            Vrf:0 Flags:L3L2VpEr QOS:-1 Ref:7
            RX packets:164954 bytes:23395605 errors:89
            TX packets:48611 bytes:44845210 errors:0
            Drops:3437

vif0/1 OS: vhost0
            Type:Host HWaddr:0c:c4:7a:32:0a:88 IPaddr:10.204.216.231
            Vrf:0 Flags:PL3DEr QOS:-1 Ref:7
            RX packets:43587 bytes:44299116 errors:0
            TX packets:159088 bytes:18025803 errors:0
            Drops:1

vif0/2 OS: pkt0
            Type:Agent HWaddr:00:00:5e:00:01:00 IPaddr:0.0.0.0
            Vrf:65535 Flags:L3Er QOS:-1 Ref:3
            RX packets:8574 bytes:1209274 errors:0
            TX packets:95035 bytes:10194874 errors:0
            Drops:0

vif0/3 OS: tap04a66d44-d9
            Type:Virtual HWaddr:00:00:5e:00:01:00 IPaddr:10.204.218.151
            Vrf:0 Flags:PL3DProxyEr QOS:-1 Ref:5
            RX packets:9963 bytes:995070 errors:0
            TX packets:10536 bytes:5754968 errors:0
            Drops:3231

vif0/4 OS: tape1a87bbf-81
            Type:Virtual HWaddr:00:00:5e:00:01:00 IPaddr:10.204.218.153
            Vrf:0 Flags:PL3DProxyEr QOS:-1 Ref:5
            RX packets:5689 bytes:556969 errors:0
            TX packets:3392 bytes:358007 errors:0
            Drops:3077

vif0/4350 OS: pkt3
            Type:Stats HWaddr:00:00:00:00:00:00 IPaddr:0.0.0.0
            Vrf:65535 Flags:L3L2 QOS:0 Ref:1
            RX packets:0 bytes:0 errors:0
            TX packets:0 bytes:0 errors:0
            Drops:0

vif0/4351 OS: pkt1
            Type:Stats HWaddr:00:00:00:00:00:00 IPaddr:0.0.0.0
            Vrf:65535 Flags:L3L2 QOS:0 Ref:1
            RX packets:0 bytes:0 errors:0
            TX packets:0 bytes:0 errors:0
            Drops:0

root@nodek11:~#

root@nodek11:~# rt --dump 2 | grep 10.204.218.151
10.204.218.151/32 32 P - 22 -
root@nodek11:~#
root@nodek11:~# nh --get 22
Id:22 Type:Encap Fmly: AF_INET Rid:0 Ref_cnt:5 Vrf:0
              Flags:Valid, Policy, Etree Root,
              EncapFmly:0806 Oif:3 Len:14
              Encap Data: 02 04 a6 6d 44 d9 00 00 5e 00 01 00 08 00

root@nodek11:~# rt --dump 3 | grep 10.204.218.153
10.204.218.153/32 32 P - 29 -
root@nodek11:~# nh --get 29
Id:29 Type:Encap Fmly: AF_INET Rid:0 Ref_cnt:5 Vrf:0
              Flags:Valid, Policy, Etree Root,
              EncapFmly:0806 Oif:4 Len:14
              Encap Data: 02 e1 a8 7b bf 81 00 00 5e 00 01 00 08 00

root@vn1-vm2-2:/home/ubuntu# ifconfig -a
eth0 Link encap:Ethernet HWaddr 02:04:a6:6d:44:d9
          inet addr:10.204.218.151 Bcast:10.204.218.255 Mask:255.255.255.0
          inet6 addr: fe80::4:a6ff:fe6d:44d9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:10598 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10063 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5761604 (5.7 MB) TX bytes:1005066 (1.0 MB)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:840 (840.0 B) TX bytes:840 (840.0 B)

Pinging VM2 (VN2) from VM1 (VN1) with out any policy
root@vn1-vm2-2:/home/ubuntu# ping 10.204.218.153
PING 10.204.218.153 (10.204.218.153) 56(84) bytes of data.
64 bytes from 10.204.218.153: icmp_req=1 ttl=63 time=1.29 ms
64 bytes from 10.204.218.153: icmp_req=2 ttl=63 time=0.295 ms
64 bytes from 10.204.218.153: icmp_req=3 ttl=63 time=0.280 ms
64 bytes from 10.204.218.153: icmp_req=4 ttl=63 time=0.261 ms
64 bytes from 10.204.218.153: icmp_req=5 ttl=63 time=0.288 ms
64 bytes from 10.204.218.153: icmp_req=6 ttl=63 time=0.292 ms
64 bytes from 10.204.218.153: icmp_req=7 ttl=63 time=0.312 ms
64 bytes from 10.204.218.153: icmp_req=8 ttl=63 time=0.249 ms
64 bytes from 10.204.218.153: icmp_req=9 ttl=63 time=0.247 ms

root@nodek11:~# flow --match 10.204.218.151
Flow table(size 80609280, entries 629760)

Entries: Created 947 Added 947 Deleted 1452 Changed 1465 Processed 947 Used Overflow entries 0
(Created Flows/CPU: 66 96 79 76 88 81 78 65 8 12 10 15 6 6 10 5 18 24 23 36 40 49 16 33 3 1 1 0 0 2 0 0)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching ([10.204.218.151]:*)

    Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
    38748<=>126640 10.204.218.153:20048 1 (0)
                         10.204.218.151:0
(Gen: 1, K(nh):29, Action:F, Flags:, QOS:-1, S(nh):29, Stats:10/980,
 SPort 50070, TTL 0, Sinfo 4.0.0.0)

   126640<=>38748 10.204.218.151:20048 1 (0)
                         10.204.218.153:0
(Gen: 1, K(nh):22, Action:F, Flags:, QOS:-1, S(nh):22, Stats:10/980,
 SPort 63358, TTL 0, Sinfo 3.0.0.0)

   371060<=>19680 10.204.218.151:22 6 (2->0)
                         10.204.218.2:43168
(Gen: 5, K(nh):22, Action:N(SD), Flags:, TCP:, QOS:-1, S(nh):22, Stats:35/6438,
 SPort 57992, TTL 0, Sinfo 3.0.0.0)

root@nodek11:~# flow --match 10.204.218.153
Flow table(size 80609280, entries 629760)

Entries: Created 947 Added 947 Deleted 1452 Changed 1465 Processed 947 Used Overflow entries 0
(Created Flows/CPU: 66 96 79 76 88 81 78 65 8 12 10 15 6 6 10 5 18 24 23 36 40 49 16 33 3 1 1 0 0 2 0 0)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching ([10.204.218.153]:*)

    Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
    38748<=>126640 10.204.218.153:20048 1 (0)
                         10.204.218.151:0
(Gen: 1, K(nh):29, Action:F, Flags:, QOS:-1, S(nh):29, Stats:15/1470,
 SPort 50070, TTL 0, Sinfo 4.0.0.0)

   126640<=>38748 10.204.218.151:20048 1 (0)
                         10.204.218.153:0
(Gen: 1, K(nh):22, Action:F, Flags:, QOS:-1, S(nh):22, Stats:15/1470,
 SPort 63358, TTL 0, Sinfo 3.0.0.0)

root@nodek11:~#

Tags: vrouter
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.