Open Stack

Sorry missed ingress rules:
(neutron-openvswitch-agent)[root at uk-dc-tx2-01 /]# *iptables -S | grep
neutron-openvswi-iba5cd56c-4*
-N neutron-openvswi-iba5cd56c-4
-A neutron-openvswi-iba5cd56c-4 -m state --state RELATED,ESTABLISHED -m
comment --comment "Direct packets associated with a known session to the
RETURN chain." -j RETURN
-A neutron-openvswi-iba5cd56c-4 -d 192.168.200.6/32 -p udp -m udp --sport
67 --dport 68 -j RETURN
-A neutron-openvswi-iba5cd56c-4 -d 255.255.255.255/32 -p udp -m udp --sport
67 --dport 68 -j RETURN
-A neutron-openvswi-iba5cd56c-4 -p tcp -m tcp -m multiport --dports 1:65535
-j RETURN
-A neutron-openvswi-iba5cd56c-4 -p icmp -j RETURN
-A neutron-openvswi-iba5cd56c-4 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-iba5cd56c-4 -m set --match-set
NIPv40cd3823f-af20-4015-b9f4- src -j RETURN
-A neutron-openvswi-iba5cd56c-4 -m state --state INVALID -m comment
--comment "Drop packets that appear related to an existing connection (e.g.
TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-iba5cd56c-4 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapba5cd56c-46
--physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
-j neutron-openvswi-iba5cd56c-4

And *ml2_conf.ini*:
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security

[ml2_type_vlan]
network_vlan_ranges =

[ml2_type_flat]
flat_networks = physnet1

[ml2_type_vxlan]
vni_ranges = 1:1000
vxlan_group = 239.1.1.1

[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true

[ovs]
datapath_type = system
ovsdb_connection = tcp:127.0.0.1:6640
local_ip = 10.22.20.4


On Tue, Oct 15, 2019 at 4:16 PM Shuai Zhao <kevinzs2048 at gmail.com> wrote:

> Hi Neutron,
> I've deployed Rocky-rc2 version on Debian Buster(compute node), kernel
> Linux 4.19
>
> Now the issue:
> The VM running on the Host(Debian Buster) could not get IP when Booting. I
> use tcpdump to get the packet on tap, qbr, qvb and qvo.
> *The DHCP broadcast packet could be dumped at tap and qbr, but not at
> qvo/qvb.* So the DHCP failed. All the firewall policy is neutron
> automatic generated.
>
> The firewall policy is never changed.
> (neutron-openvswitch-agent)[root@** /]# iptables -S | grep tapba5cd56c-46
> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Direct traffic from the VM
> interface to the security group chain." -j neutron-openvswi-sg-chain
> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Direct traffic from the VM
> interface to the security group chain." -j neutron-openvswi-sg-chain
> -A neutron-openvswi-INPUT -m physdev --physdev-in tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM
> to the security group chain." -j neutron-openvswi-oba5cd56c-4
> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
> -j neutron-openvswi-iba5cd56c-4
> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
> -j neutron-openvswi-oba5cd56c-4
>
> (neutron-openvswitch-agent)[root@*** /]#* iptables -S | grep
> neutron-openvswi-oba5cd56c-4*
> -N neutron-openvswi-oba5cd56c-4
> -A neutron-openvswi-INPUT -m physdev --physdev-in tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM
> to the security group chain." -j neutron-openvswi-oba5cd56c-4
> -A neutron-openvswi-oba5cd56c-4 -s 0.0.0.0/32 -d 255.255.255.255/32 -p
> udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client
> traffic." -j RETURN
> -A neutron-openvswi-oba5cd56c-4 -j neutron-openvswi-sba5cd56c-4
> -A neutron-openvswi-oba5cd56c-4 -p udp -m udp --sport 68 --dport 67 -m
> comment --comment "Allow DHCP client traffic." -j RETURN
> -A neutron-openvswi-oba5cd56c-4 -p udp -m udp --sport 67 --dport 68 -m
> comment --comment "Prevent DHCP Spoofing by VM." -j DROP
> -A neutron-openvswi-oba5cd56c-4 -m state --state RELATED,ESTABLISHED -m
> comment --comment "Direct packets associated with a known session to the
> RETURN chain." -j RETURN
> -A neutron-openvswi-oba5cd56c-4 -j RETURN
> -A neutron-openvswi-oba5cd56c-4 -m state --state INVALID -m comment
> --comment "Drop packets that appear related to an existing connection (e.g.
> TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
> -A neutron-openvswi-oba5cd56c-4 -m comment --comment "Send unmatched
> traffic to the fallback chain." -j neutron-openvswi-sg-fallback
> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapba5cd56c-46
> --physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
> -j neutron-openvswi-oba5cd56c-4
>
> Pls help to give some advices about that.
> Thanks a lot!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191015/32686549/attachment-0001.html>