With snat disabled legacy router Pings to floating IPs replied with fixed-ips

Bug #1551530 reported by Hong Hui Xiao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Hong Hui Xiao

Bug Description

On my single node devstack setup, there are 2 VMs hosted. VM1 has no floating IP assigned. VM2 has a floating IP assigned. From VM1, ping to VM2 using the floating IP. Ping output reports the replies comes from VM2's fixed ip address.
The reply should be from VM2's floating ip address.

VM1: 10.0.0.4
VM2: 10.0.0.3 floating ip:172.24.4.4

$ ping 172.24.4.4 -c 1 -W 1
PING 172.24.4.4 (172.24.4.4): 56 data bytes
64 bytes from 10.0.0.3: seq=0 ttl=64 time=3.440 ms

This will only happen for legacy router with snat disabled, and at the same time, VM1 and VM2 are in the same subnet.

Compared the iptables, this following rule is missed when snat is disabled.

Chain neutron-vpn-agen-snat (1 references)
 pkts bytes target prot opt in out source destination
    1 84 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.6

This rule will SNAT internal traffic to floatingip. Without this rule, the packet of VM2 replying VM1 will be treated as a traffic inside subnet, and these traffic will not go through router. As a result, the DNAT record in router namespace will not work for reply packet.

The intentional fix will add the mentioned iptables rule, no matter of snat enabling. So, the packet of VM2 replying VM1 will dest to <172.24.4.6>, and go through router namespace. As a result, the DNAT and SNAT record will work to make things right.

Hong Hui Xiao (xiaohhui)
Changed in neutron:
assignee: nobody → Hong Hui Xiao (xiaohhui)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/286392

Changed in neutron:
status: New → In Progress
tags: added: l3-ipam-dhcp
Changed in neutron:
importance: Undecided → Medium
Changed in neutron:
milestone: none → mitaka-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/286392
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cea149212e6387932eaac8448c951d2ceb7ae23d
Submitter: Jenkins
Branch: master

commit cea149212e6387932eaac8448c951d2ceb7ae23d
Author: Hong Hui Xiao <email address hidden>
Date: Tue Mar 1 05:42:42 2016 +0000

    Add fip nat rules even if router disables shared snat

    For legacy router, there are some iptables rules added for external gateway
    port. Some of these rules are for shared snat, some are for floating ip.

    When user disables shared snat of router gateway, some of the iptables rules
    that floating ip needs will not be added to router. This will cause the
    reported bug, ping floating ip but reply with fixed ip.

    The fix will add the iptables rules that floating ip needs, no matter if
    router enables shared snat. A functional test is also added for the issue.

    Change-Id: I3cf4dff90f47a720a2e6a92c9ede2bc067ebd6e7
    Closes-Bug: #1551530

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0rc1

This issue was fixed in the openstack/neutron 8.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/298884

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/298884
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3507c097e8b27333a5d583b915149e5b20e70fb6
Submitter: Jenkins
Branch: stable/liberty

commit 3507c097e8b27333a5d583b915149e5b20e70fb6
Author: Hong Hui Xiao <email address hidden>
Date: Tue Mar 1 05:42:42 2016 +0000

    Add fip nat rules even if router disables shared snat

    For legacy router, there are some iptables rules added for external gateway
    port. Some of these rules are for shared snat, some are for floating ip.

    When user disables shared snat of router gateway, some of the iptables rules
    that floating ip needs will not be added to router. This will cause the
    reported bug, ping floating ip but reply with fixed ip.

    The fix will add the iptables rules that floating ip needs, no matter if
    router enables shared snat. A functional test is also added for the issue.

    Conflicts:
     neutron/agent/l3/router_info.py
     neutron/tests/unit/agent/l3/test_agent.py

    Change-Id: I3cf4dff90f47a720a2e6a92c9ede2bc067ebd6e7
    Closes-Bug: #1551530
    (cherry picked from commit cea149212e6387932eaac8448c951d2ceb7ae23d)

tags: added: in-stable-liberty
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 7.1.2

This issue was fixed in the openstack/neutron 7.1.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.