Unfortunately bug 1720205 at least it's origin not fixed at all. Yes, there is could be workaround for HA net, but DHCP/DNS ports are unpredictable and depends from dynamic infrastructure.
With current fix servers still could communicate only with local agents.
Unfortunately bug 1720205 at least it's origin not fixed at all. Yes, there is could be workaround for HA net, but DHCP/DNS ports are unpredictable and depends from dynamic infrastructure.
With current fix servers still could communicate only with local agents.
### ifconfig -a 168.100. 255 Mask:255.255.255.0 3eff:fe13: 1deb/64 Scope:Link
collisions: 0 txqueuelen:1000
eth0 Link encap:Ethernet HWaddr FA:16:3E:13:1D:EB
inet addr:192.168.100.11 Bcast:192.
inet6 addr: fe80::f816:
UP BROADCAST RUNNING MULTICAST MTU:8950 Metric:1
RX packets:93 errors:0 dropped:0 overruns:0 frame:0
TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:13755 (13.4 KiB) TX bytes:12957 (12.6 KiB)
lo Link encap:Local Loopback
collisions: 0 txqueuelen:0
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:112 (112.0 B) TX bytes:112 (112.0 B)
### route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 192.168.100.2 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
### cat /etc/resolv.conf
search openstacklocal
nameserver 192.168.100.3
nameserver 192.168.100.2
nameserver 192.168.100.4
### ping -c 5 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
--- 192.168.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### pinging nameservers
#### ping -c 5 192.168.100.3
PING 192.168.100.3 (192.168.100.3): 56 data bytes
--- 192.168.100.3 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#### ping -c 5 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.352 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.100.2: seq=2 ttl=64 time=0.153 ms
64 bytes from 192.168.100.2: seq=3 ttl=64 time=0.195 ms
64 bytes from 192.168.100.2: seq=4 ttl=64 time=0.137 ms
--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.137/0.206/0.352 ms
#### ping -c 5 192.168.100.4
PING 192.168.100.4 (192.168.100.4): 56 data bytes
--- 192.168.100.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### uname -a
Linux cirros 3.2.0-80-virtual #116-Ubuntu SMP Mon Mar 23 17:28:52 UTC 2015 x86_64 GNU/Linux
So we rally need to pass traffic in both directions. But for security reason we have to check sg-chains before other rules.