ebtables ARP rules don't account for floating IPs on LinuxBridge
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
Kevin Benton |
Bug Description
The new ebtables ARP filtering rules don't account for floating IPs, which blocks ARP replies from the qrouter netns the float lives in, effectively blocking traffic to the float and thus the instance. Looking at the ebtables code, rules are currently only added for ports with port security enabled (port_filter:True), IPs in the fixed_ips list and IPs in the allowed-address pairs list for a given port. Floating IPs do not have port security enabled, aren't fixed_ips and aren't automatically inserted into router gateway port AAPs.
This is an example ebtables -L --Lc list of the filter table on the root namespace where the router is:
http://
192.168.74.0/24 is the private instance network
172.29.248.0/22 is the public network
192.168.74.1 is the router inside IP
192.168.74.2 is the DHCP server IP
192.168.74.3 is the instance IP
172.29.248.2 is the router gateway/outside IP
172.29.248.3 is the DHCP server IP (forgot to disable for the public)
172.29.248.8 is the floating IP
As you can see, the floating IP is not in the rules, which results in ARP replies from the qrouter namespace being dropped.
Adding the exception to ebtables results in working traffic, like this (line 18):
http://
For reference, here's ebtables from the compute node along with the instance information:
http://
Changed in neutron: | |
assignee: | nobody → yalei wang (yalei-wang) |
Changed in neutron: | |
milestone: | none → liberty-rc1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-rc1 → 7.0.0 |
Assuming there's no issues I'm not aware of by doing so, it seems like the easiest fix is to enable port security for floating IP ports, so they get rules added. Barring that, I imagine the ebtables code needs to add another case to explicitly add floats.