<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<STYLE type=text/css> <!--@import url(scrollbar.css); --></STYLE>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE> body{FONT-SIZE:12pt; FONT-FAMILY:宋体,serif;} </STYLE>
<META name=GENERATOR content="MSHTML 8.00.7601.18969"><BASE
target=_blank></HEAD>
<BODY
style="LINE-HEIGHT: 1.3; BORDER-RIGHT-WIDTH: 0px; MARGIN: 12px; BORDER-TOP-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; BORDER-LEFT-WIDTH: 0px"
marginheight="0" marginwidth="0">
<DIV><FONT color=#000000 size=3 face=宋体>Thank you. After some
work, I figured out that I misunderstood the openstack network configuration and
now everything is ok.</FONT></DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>hjh</DIV>
<DIV> </DIV>
<DIV align=left><FONT color=#c0c0c0 size=2 face=Verdana>2015-09-22</FONT></DIV>
<DIV align=left><FONT size=2 face=Verdana>
<HR style="WIDTH: 122px; HEIGHT: 2px" id=SignNameHR align=left SIZE=2>
</FONT></DIV>
<DIV align=left><FONT color=#c0c0c0 size=2 face=Verdana><SPAN
id=_FlashSignName>applyhhj</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Verdana>
<HR>
</FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>发件人:</STRONG>Salvatore Orlando
<salv.orlando@gmail.com></FONT></DIV>
<DIV><FONT size=2
face=Verdana><STRONG>发送时间:</STRONG>2015-09-21 21:06</FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>主题:</STRONG>Re: [Openstack-operators]
Please help!!!!Openvswitch attacked by ICMP!!!!!!!</FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>收件人:</STRONG>"Kris G.
Lindgren"<klindgren@godaddy.com></FONT></DIV>
<DIV><FONT size=2
face=Verdana><STRONG>抄送:</STRONG>"applyhhj"<applyhhj@163.com>,"openstack-operators"<openstack-operators@lists.openstack.org></FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT> </DIV>
<DIV><FONT size=2 face=Verdana>
<DIV dir=ltr>The comment from Kris is correct.
<DIV>In the official openstack guide I believe it is stated to remove any
address from the interface attached to br-ex (sudo ip addr del <addr> dev
<dev>), not to assign it 0.0.0.0</DIV>
<DIV><BR></DIV>
<DIV>If the guide says otherwise please open a bug against the relevant doc
project.</DIV>
<DIV><BR></DIV>
<DIV>Salvatore</DIV>
<DIV><BR></DIV>
<DIV><BR></DIV></DIV>
<DIV class=gmail_extra><BR>
<DIV class=gmail_quote>On 17 September 2015 at 16:08, Kris G. Lindgren <SPAN
dir=ltr><<A href="mailto:klindgren@godaddy.com"
target=_blank>klindgren@godaddy.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV
style="FONT-FAMILY: Calibri,sans-serif; WORD-WRAP: break-word; COLOR: rgb(0,0,0); FONT-SIZE: 14px">
<DIV>
<DIV>For us on boot, we configure the systems init scripts to bring up br-ext
and plug in the ethernet (or in our case bond) device into the external
bridge. You should look at your specific distro for guidence here.
Redhat based (RHEL/CentOS/Fedora) use: <A
href="http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac"
target=_blank>http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac</A>/
as a guide.</DIV>
<DIV><BR></DIV>
<DIV>We do not assign any ip address to the interface attached to the
bridge. If you assigned 0.0.0.0 netmask 0.0.0.0 you basically assigned
every ip address in ipv4 to your interface, so anything that arps on your
network for an ip address, you server is going to respond say "hey that’s
me".</DIV>
<DIV>
<DIV>
<DIV><FONT color=#000000><FONT face=Calibri><SPAN
style="FONT-SIZE: 14px">___________________________________________________________________</SPAN></FONT></FONT></DIV>
<DIV><FONT color=#000000><FONT face=Calibri><SPAN style="FONT-SIZE: 14px">Kris
Lindgren</SPAN></FONT></FONT></DIV>
<DIV><FONT color=#000000><FONT face=Calibri><SPAN
style="FONT-SIZE: 14px">Senior Linux Systems
Engineer</SPAN></FONT></FONT></DIV>
<DIV><FONT color=#000000><FONT face=Calibri><SPAN
style="FONT-SIZE: 14px">GoDaddy</SPAN></FONT></FONT></DIV></DIV></DIV></DIV>
<DIV><BR></DIV><SPAN>
<DIV
style="BORDER-BOTTOM: medium none; TEXT-ALIGN: left; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; FONT-FAMILY: Calibri; COLOR: black; FONT-SIZE: 12pt; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><SPAN
style="FONT-WEIGHT: bold">From: </SPAN>applyhhj<BR><SPAN
style="FONT-WEIGHT: bold">Date: </SPAN>Thursday, September 17, 2015 at 8:55
AM<BR><SPAN style="FONT-WEIGHT: bold">To: </SPAN>openstack-operators<BR><SPAN
style="FONT-WEIGHT: bold">Subject: </SPAN>[Openstack-operators] Please
help!!!!Openvswitch attacked by ICMP!!!!!!!<BR></DIV>
<DIV>
<DIV class=h5>
<DIV><BR></DIV>
<DIV>
<DIV
style="LINE-HEIGHT: 1.3; BORDER-RIGHT-WIDTH: 0px; MARGIN: 12px; BORDER-TOP-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; BORDER-LEFT-WIDTH: 0px"
marginheight="0" marginwidth="0">
<DIV><FONT size=2 face=Verdana><SPAN lang=EN-US><FONT color=#000000><FONT
face=Calibri><SPAN lang=EN-US><FONT
size=3>Hi,<U></U><U></U></FONT></SPAN></FONT></FONT></SPAN></FONT></DIV><FONT
size=2 face=Verdana><FONT color=#000000><FONT
face=Calibri></FONT></FONT></FONT>
<DIV><FONT size=2 face=Verdana><FONT color=#000000><FONT
face=Calibri></FONT></FONT>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>I followed The Guidance and
tried to configure openvswitch(OVS) service. I first created a bridge br-ex
and then added eth2 to the bridge. After that I set the IP of eth2 to 0.0.0.0
and then reboot the system. However br-ex was not up when system launched. So
I turned on br-ex manually and then restart the network, but br-ex could not
get ip from dhcp server. Thus I used “dhclient br-ex” to manually acquire IP.
Well till then everything worked fine, but in the evening the Network Node was
continuously attacked by ICMP package. Iptraf showed the following
messages:<U></U><U></U></FONT></FONT></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN
lang=EN-US><U></U><FONT color=#000000 size=3
face=Calibri></FONT><U></U></SPAN></I> </P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP time excd (56 bytes) from
4.69.143.125 to 166.111.61.xx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on
eth2<SPAN>
</SPAN><SPAN> </SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host) (100
bytes) from 59.66.96.226 to 166.111.61.xx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP time excd (56 bytes) from
4.69.143.125 to 166.111.61.xx on
eth2<SPAN>
</SPAN><SPAN> </SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on
eth2<SPAN>
</SPAN><SPAN> </SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host) (100
bytes) from 59.66.96.226 to 166.111.61.x on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP time excd (56 bytes) from
4.69.143.125 to 166.111.61.63 on
eth2<SPAN>
</SPAN><SPAN> </SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xx on
eth2<SPAN>
</SPAN><SPAN> </SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host comm
denied) (576 bytes) from 176.32.36.23 to 166.111.61.xxx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP dest unrch (host) (100
bytes) from 59.66.96.226 to 166.111.61.xx on
eth2<SPAN>
</SPAN><U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><I><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>x ICMP time excd (56 bytes) from
4.69.143.125 to 166.111.61.x on
eth2<U></U><U></U></FONT></FONT></FONT></SPAN></I></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><U></U><FONT
color=#000000 size=3 face=Calibri></FONT><U></U></SPAN> </P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT face=Calibri>My ip is none of the above ones.
The download speed in system monitor went up to 3m/s or even higher to 8m/s. I
tried to use iptables and ebtable to filter icmp packages and also set
icmp_echo_ignore_all to drop all icmp pacakges. But, unfortunately, nothing
works. As long as I deleted eth2 from br-ex or brought down br-ex, the network
went back normal.If you have any idea, please help me. I have been stuck here
for several days. Thank you very
much!!<U></U><U></U></FONT></FONT></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><U></U><FONT
color=#000000 size=3 face=Calibri></FONT><U></U></SPAN> </P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT
face=Calibri>Regards!<U></U><U></U></FONT></FONT></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
size=3><FONT color=#000000><FONT
face=Calibri>hjh<U></U><U></U></FONT></FONT></FONT></SPAN></P><U></U>
<DIV><FONT color=#000000 size=3 face=宋体></FONT> </DIV>
<DIV> </DIV>
<DIV align=left><FONT color=#c0c0c0 size=2
face=Verdana>2015-09-17</FONT></DIV><FONT size=2 face=Verdana>
<HR style="MIN-HEIGHT: 2px; WIDTH: 122px" align=left SIZE=2>
</FONT>
<DIV><FONT color=#c0c0c0 size=2
face=Verdana><SPAN>applyhhj</SPAN></FONT></DIV><U></U></FONT></DIV></DIV></DIV></DIV></DIV></SPAN></DIV><BR>_______________________________________________<BR>OpenStack-operators
mailing list<BR><A
href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</A><BR><A
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators"
rel=noreferrer
target=_blank>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</A><BR><BR></BLOCKQUOTE></DIV><BR></DIV></FONT></DIV></BODY></HTML>