neutron

dvr floating IP not work

Bug #1788614 reported by men on 2018-08-23

This bug report is a duplicate of: Bug #1776778: Floating IPs broken after kernel upgrade to Centos/RHEL 7.5 - DNAT not working. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

openstack Q

centos7.5
[root@compute02 ~]# uname -r
3.10.0-862.el7.x86_64

neutron L3 DVR enable

compute node:

There are 2 vm dvr (float IP) on compute02 that cannot access each other.
192.0.2.11 and 192.0.2.14 can be ping successfully

compute02:
vm1 vm2
192.0.2.11 192.0.2.14
192.168.16.13(float IP) 192.168.16.22(float IP)

[root@compute02 ~]# ip netns
qrouter-58b0f4c6-9b28-44ca-b593-88b5bae9494a (id: 0)
fip-2b3cd7de-ff71-4be1-8d87-fb153469456a (id: 1)

[root@compute02 ~]# ip netns exec fip-2b3cd7de-ff71-4be1-8d87-fb153469456a ip route show
169.254.95.212/31 dev fpr-58b0f4c6-9 proto kernel scope link src 169.254.95.213
192.168.16.0/24 dev fg-690c809d-54 proto kernel scope link src 192.168.16.6
192.168.16.13 via 169.254.95.212 dev fpr-58b0f4c6-9
192.168.16.22 via 169.254.95.212 dev fpr-58b0f4c6-9

root@compute02 ~]# ip netns exec qrouter-58b0f4c6-9b28-44ca-b593-88b5bae9494a ip route show
169.254.95.212/31 dev rfp-58b0f4c6-9 proto kernel scope link src 169.254.95.212
192.0.2.0/24 dev qr-3dad3c3e-4c proto kernel scope link src 192.0.2.1

[root@compute02 ~]# ip netns exec qrouter-58b0f4c6-9b28-44ca-b593-88b5bae9494a iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i rfp-58b0f4c6-9 ! -o rfp-58b0f4c6-9 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 192.168.16.22/32 -i rfp-58b0f4c6-9 -j DNAT --to-destination 192.0.2.14
-A neutron-l3-agent-PREROUTING -d 192.168.16.13/32 -i rfp-58b0f4c6-9 -j DNAT --to-destination 192.0.2.11
-A neutron-l3-agent-float-snat -s 192.0.2.14/32 -j SNAT --to-source 192.168.16.22
-A neutron-l3-agent-float-snat -s 192.0.2.11/32 -j SNAT --to-source 192.168.16.13
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

[root@compute02 ~]# ip netns exec qrouter-58b0f4c6-9b28-44ca-b593-88b5bae9494a ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: @if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fa:68:2b:be:da:93 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.95.212/31 scope global rfp-58b0f4c6-9
       valid_lft forever preferred_lft forever
    inet6 fe80::f868:2bff:febe:da93/64 scope link
       valid_lft forever preferred_lft forever
310: qr-3dad3c3e-4c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:4d:79:56 brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global qr-3dad3c3e-4c
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe4d:7956/64 scope link
       valid_lft forever preferred_lft forever

[root@compute02 ~]# ip netns exec qrouter-58b0f4c6-9b28-44ca-b593-88b5bae9494a tcpdump -i rfp-58b0f4c6-9 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rfp-58b0f4c6-9, link-type EN10MB (Ethernet), capture size 262144 bytes
21:29:07.754841 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 1, length 64
21:29:08.753192 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 2, length 64
21:29:09.753182 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 3, length 64
21:29:10.753210 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 4, length 64
21:29:11.753181 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 5, length 64
21:29:12.753200 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 6, length 64
21:29:13.753191 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 7, length 64
21:29:14.753170 IP 192.168.16.11 > 192.168.16.22: ICMP echo request, id 2606, seq 8, length 64

Revision history for this message

LIU Yulong (dragon889) wrote on 2018-08-24:

Marked as duplicated to bug #1776778.
Try to upgrade your kernal to fix this.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1776778 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.