neutron does not create the necessary iptables rules for l3 and dhcp agents when linuxbridge used

The l3-agent and dhcp-agent create iptables rules inside network namespaces, so won't be visible in the "root" namespace.

Is there a specific problem you're seeing?

The problem is not inside namespaces they looks fine.

In the example above tapb48c914e-20 is nova port, tap5015bfe4-c5 and tapa6d0f381-b7 dhcp and ruter ports.
Default security rule "-A FORWARD -j REJECT --reject-with icmp-host-prohibited" prevent non local traffic. So by default traffic localized inside brq76f218a0-55 and not go through vxlan-1006.
Nova port bridge this by rules in neutron-linuxbri-FORWARD chain:
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT

In current state servers behind vxlan-1006 can't reach tap5015bfe4-c5 tapa6d0f381-b7 agents and tapb48c914e-20 VM didn't receive answers from remote agents which are isolated on their hosts.

I believe that agent ports connected bridge have to have same security rules as nova ports respecting to brq76f218a0-55.

I think it was work in ocata thanks to legacy nova net chains and the issue was applicable only for router HA net see 1717927 , but in pike all agent traffic locked in the host bridges.
Unfortunately I have no ocata setup to check it more closely for now.

Yes, I guess this looks like a problem, I just don't have a multi-node linuxbridge agent configuration to test with as my typical deployment is with OVS.

Do you have any time to work on a possible patch?

Unfortunately we have no resources for this in the near future.

You don't have to have multi-node setup to debug this issue. In single-node guests will not face with unreachable agents but you still could observe missing rules in neutron-linuxbri-FORWARD chain for appropriate agent ports.

Hi,

I dig little bit more into this issue and I found that ports like routed or DHCP ports are filtered in neutron-server in https://github.com/openstack/neutron/blob/master/neutron/api/rpc/handlers/securitygroups_rpc.py#L88 because such ports are marked as trusted there.
Then neutron-linuxbridge agent don't get any info about such ports and is not even trying to iterate over them in https://github.com/openstack/neutron/blob/master/neutron/agent/securitygroups_rpc.py#L120
But as I'm not SG expert I don't know exactly what could be the best way to try to fix it.
@Brian: maybe You have any idea about that?

Fix proposed to branch: master
Review: https://review.openstack.org/525607

Reviewed: https://review.openstack.org/525607
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=97b30494a9263db684e5901113b53c25e55d1854
Submitter: Zuul
Branch: master

commit 97b30494a9263db684e5901113b53c25e55d1854
Author: Sławek Kapłoński <email address hidden>
Date: Tue Dec 5 14:37:50 2017 +0100

    Iptables firewall driver adds forward rules for trusted ports

    Iptables firewall driver can now add process trusted ports and
    adds rules for them to FORWARD chain.

    Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131
    Closes-Bug: #1720205

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/550782

Reviewed: https://review.openstack.org/550782
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4e5fb5240c90c90c3a7416f59745fa7adf1ed2a8
Submitter: Zuul
Branch: stable/queens

commit 4e5fb5240c90c90c3a7416f59745fa7adf1ed2a8
Author: Sławek Kapłoński <email address hidden>
Date: Tue Dec 5 14:37:50 2017 +0100

    Iptables firewall driver adds forward rules for trusted ports

    Iptables firewall driver can now add process trusted ports and
    adds rules for them to FORWARD chain.

    Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131
    Closes-Bug: #1720205
    (cherry picked from commit 97b30494a9263db684e5901113b53c25e55d1854)

This issue was fixed in the openstack/neutron 12.0.1 release.

This issue was fixed in the openstack/neutron 13.0.0.0b1 development milestone.

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/575677

Reviewed: https://review.openstack.org/575677
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e123bd7e1d60d399072828391534096e50b2d1cb
Submitter: Zuul
Branch: stable/pike

commit e123bd7e1d60d399072828391534096e50b2d1cb
Author: Sławek Kapłoński <email address hidden>
Date: Tue Dec 5 14:37:50 2017 +0100

    Iptables firewall driver adds forward rules for trusted ports

    Iptables firewall driver can now add process trusted ports and
    adds rules for them to FORWARD chain.

    Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131
    Closes-Bug: #1720205
    (cherry picked from commit 97b30494a9263db684e5901113b53c25e55d1854)

This issue was fixed in the openstack/neutron 11.0.6 release.