Default scope rules added to router may drop traffic unexpectedly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Release: OpenStack-Ansible 13.3.4 (Mitaka)
Scenario:
Neutron routers are connected to single provider network and single tenant network. Floating IPs are *not* used, and SNAT is disabled on the router:
+------
| Field | Value |
+------
| admin_state_up | True |
| availability_
| availability_zones | nova |
| description | |
| distributed | False |
| external_
| | -449f-b22e-
| ha | False |
| id | c965e7a1-
| name | RTR |
| routes | |
| status | ACTIVE |
| tenant_id | 2ed1712187674c6
+------
Upstream routes exist that route tenant network traffic to the qg interface of the routes (static, not BGP - yet).
In some cases, we have found that inbound/outbound traffic is getting dropped within the Neutron qrouter namespace. Comparing to a working router, we have found some differences in iptables:
Working router:
*mangle
-A neutron-
-A neutron-
*filter
-A neutron-
-A neutron-
Non-working router:
*mangle
-A neutron-
-A neutron-
*filter
-A neutron-
-A neutron-
Our working theory is that the marks in filter rules on the non-working router are incorrectly set - traffic ingress to the qg interface is being marked as x401, and the egress filter on the qr interface is checking for x400. We were able to test this theory by swapping the marks on those two filter rules and observed that inbound/outbound traffic was working properly.
In the case of the working router, the mark set in the mangle rules is the same (x401 for both), so the filter rules work fine.
We are not sure at this time how the mark is determined, and while we can replicate the issue on new routers in the environment, we are unable to replicate this behavior in other environments at this time.
Please let us know if you need any additional info.
tags: | added: sg-fw |
tags: | added: l3-ipam-dhcp |
It looks like it thinks they are coming from different address scopes. Can you confirm by checking the address scope on both sides of the router via the API (ipv4_address_scope on the external network matches the ipv4_address_scope on the internal network)?