Openstack version: Icehouse 2014.1.5
Nova version: 2.17.0
I have two instances created on the same compute node connected to a virtual network. I am trying to connect via the virtual network from one instance to another to some port to which no process is listening to and I am expecting to get a 'Connection refused' message from the kernel.
This works as expected with any two instances on the same virtual network that are located on different compute nodes, however, if the instances are created on the same compute node, the connection times out.
I have noticed that a temporary fix has been to tamper with the input iptables rules by moving the rule which drops packets in an invalid state after the rules for the other instances are defined, as such:
From:
-A neutron-openvswi-ic05bb97b-2 -m state --state INVALID -j DROP
-A neutron-openvswi-ic05bb97b-2 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 35357 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 5000 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp -m multiport --dports 9000:9999 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.41/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.25/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.45/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.17/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.12/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.36/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.43/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.40/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.35/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.3/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.28/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.10/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.22/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.44/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.47/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.44/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.39/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.20/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.26/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.38/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.29/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.48/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.6/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.15/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.24/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.11/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.45/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.54/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.13/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.43/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.33/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.42/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.46/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.42/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.23/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.50/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.12/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.16/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.14/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.37/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.7/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.41/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.46/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.48/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.30/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.21/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.27/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.8/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.5/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.6/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.49/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p icmp -j RETURN
To:
-A neutron-openvswi-ic05bb97b-2 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 35357 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 80 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp --dport 5000 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p tcp -m tcp -m multiport --dports 9000:9999 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.41/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.25/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.45/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.17/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.12/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.36/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.43/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.40/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.35/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.3/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.28/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.10/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.22/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.44/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.47/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.44/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.39/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.20/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.26/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.38/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.29/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.48/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.6/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.15/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.24/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 4.0.0.11/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.45/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.54/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.13/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.43/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.33/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.42/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.46/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.42/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.23/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.50/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.12/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.16/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.14/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.37/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.7/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.41/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 3.0.0.46/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.48/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.30/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.21/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.27/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.8/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 6.0.0.5/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 5.0.0.6/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -s 9.0.0.49/32 -j RETURN
-A neutron-openvswi-ic05bb97b-2 -p icmp -j RETURN
-A neutron-openvswi-ic05bb97b-2 -m state --state INVALID -j DROP
Is this a Nova issue or Neutron issue? :)