[Openstack] LinuxBridge dropping packets between the bridge and the tap.
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Wed Jul 8 05:47:31 UTC 2015
Hello Remo,
Yes, I checked it. No ebtables or iptables rules here (no security groups,
no firewalls)... I have "ACCEPT" for everything.
Also, I disabled "rp_filter" and all files under "/proc/sys/net/bridge"
subdir have "0".
I did not find the root of this problem... I'm about to gave up on
LinuxBridges (shot in the dark)...
- The packets arrives at the "brq44b54ac7-c4" bridge but not at the
"tap0b5eb746-ed" tap.
Instance #2 have (doesn't work):
----
<interface type='bridge'>
<mac address='fa:16:3e:d8:81:b6'/>
<source bridge='brq44b54ac7-c4'/>
<target dev='tap0b5eb746-ed'/>
....
</interface>
----
- The packets arrives at the "brqfac384d5-cd" bridge AND at the
"tap47417a6d-3b" tap.
Instance #1 have (works as expected):
----
<interface type='bridge'>
<mac address='fa:16:3e:5f:9b:8d'/>
<source bridge='brqfac384d5-cd'/>
<target dev='tap47417a6d-3b'/>
....
</interface>
----
The only difference between "Instance #1" and "Instance #2", is the VLAN
tag, nothing less, nothing more. I don't know why it works for #1, but not
for #2.
Also, I'm using a Heat template to start those environments, and of
course, the only difference is the VLAN tag inside of each Heat template.
So, I'm sure that both "stacks" have the very same setup.
BTW, the "brctl showmacs" have the Instance's MAC listed there as expected.
Thank you for your reply!
Best,
Thiago
On 8 July 2015 at 00:56, Remo Mattei <remo at italy1.com> wrote:
> did you check your br iptables?
> (they are called etables) here is a link it may help you.
>
> http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
>
> Remo
>
> Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> July 7, 2015 at 19:30
> I don't know if it will help but, tcpdump shows:
>
> NOTE: I re-created the "stack", so, the IDs have changed but, the problem
> remains...
>
> For "brq44b54ac7-c4":
>
> ---
> time tcpdump -c 100 -eni brq44b54ac7-c4
>
> ...... NORMAL TRAFFIC (I guess)....
> ......
> 02:12:38.415680 1c:df:0f:ef:bd:1b > 1c:df:0f:ef:b9:1b, ethertype IPv4
> (0x0800), length 363: 192.168.4.66.62521 > 192.168.13.16.18457: Flags [P.],
> seq 439562052:439562361, ack 3427842886, win 22919, length 309
> 02:12:38.417826 1c:df:0f:ef:b9:1b > 1c:df:0f:ef:bd:1b, ethertype IPv4
> (0x0800), length 235: 192.168.13.16.18457 > 192.168.4.101.63781: Flags
> [P.], seq 54:235, ack 1727, win 513, length 181
> ......
>
> real 0m0.874s
> user 0m0.004s
> sys 0m0.000s
> ---
>
> For its "tap0b5eb746-ed":
>
> ---
> ....
> 02:14:06.915717 1c:df:0f:ef:b9:1b > 01:00:5e:00:00:05, ethertype IPv4
> (0x0800), length 134: 192.168.25.2 > 224.0.0.5: OSPFv2, Hello, length 84
> 02:14:08.505713 f4:ac:c1:ba:7b:83 > 01:00:0c:cc:cc:cd, 802.3, length 64:
> LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui
> Cisco (0x00000c), pid PVST (0x010b): STP 802.1w, Rapid STP, Flags [Learn,
> Forward], bridge-id 6a4d.f4:ac:c1:ba:7b:80.8003, length 42
> ...
>
> real 2m20.069s
> user 0m0.004s
> sys 0m0.016s
> ---
>
> "brctl show" returns:
>
> ---
> ...
> brq44b54ac7-c4 8000.ecf4bbd0417b no eth2.101
> tap0b5eb746-ed
> ...
> ---
>
>
> The first tcpdump takes about 1 second, the second, more than 2 minutes!
> And the lines are very different...
>
> I'm stucked... Since the "Instance #1" works, and its "duplicated
> configuration - Instance #2", doesn't... I'm only changing the vlan id!
> :-/
>
> Switch configurations are okay, since I can see the packets arriving @
> eth2 normally.
>
> Maybe it is time to go back to OVS instead of Linux Bridges... :-(
>
> Thanks,
> Thiago
>
>
> !DSPAM:1,559c8f3943821478921271!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,559c8f3943821478921271!
> Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> July 7, 2015 at 17:37
> On 7 July 2015 at 21:00, Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> wrote:
>
> Also, I'm not using any kind of Security Groups or Firewall, my
> "ml2_conf.ini" looks likes this:
>
> ---
> .......
> [ml2_type_flat]
> flat_networks = external
>
> [ml2_type_vlan]
> network_vlan_ranges = physvlan2
>
> [securitygroup]
> enable_security_group = False
> enable_ipset = False
> firewall_driver = neutron.agent.firewall.NoopFirewallDriver
>
> [agent]
> tunnel_types = vxlan
>
> [vxlan]
> enable_vxlan = True
> local_ip = 10.0.1.31
> l2_population = True
>
> [l2pop]
> agent_boot_time = 180
>
> [linux_bridge]
> physical_interface_mappings = external:eth1,vxlan:dummy0,physvlan2:eth2
> ---
>
> Nova also doesn't make use of any firewall driver. So, the iptables rules
> here are just the bare minimal.
>
> My eth0 is the first network interface, it is the default gateway of the
> host itself (Horizon, APIs, etc, runs on top of eth0).
>
> The vxlan on top of a dummy0 interface works fine for this "all-in-one"
> deployment.
>
> The Instances attached to the "physvlan2:100:101" have two interfaces,
> vritual eth0 is vxlan, virtual eth1 is attached to physvlan2 (100 or 101),
> they can ping the Internet without problems.
>
> Thanks,
> Thiago
> !DSPAM:1,559c73b7319121044113558!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,559c73b7319121044113558!
> Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> July 7, 2015 at 17:00
>
> BTW, the symptoms are weird... After a reboot (and starting the Intance #2
> with bigger txqueue from the beginning), I'm not seeing the packets being
> dropped @ the tap interface but, they to not arrive anyway...
>
> I would love to know what can cause the packets arriving the "brqXXX-yy"
> interface but not its "tapXXX-YY"... Very weird...
>
> Thanks in advance!
> !DSPAM:1,559c69fe301462031411247!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,559c69fe301462031411247!
> Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> July 7, 2015 at 16:51
> Guys,
>
> I have an "all-in-one" OpenStack Juno setup, with LinuxBridges, where I'm
> planning to use it with two tagged networks.
>
> Like this:
>
> For "Instance #1", "brctl show" returns:
>
> ----
> root at openstack-1:~# brctl show
> bridge name bridge id STP enabled interfaces
>
> brqfac384d5-cd 8000.ecf4bbd0417a no eth2.100
>
> tap47417a6d-3b
> ----
>
> For "Instance #2", "brctl show" returns:
>
> ----
> bridge name bridge id STP enabled interfaces
>
> brq50721b16-1c 8000.ecf4bbd0417a no eth2.101
>
> tap15f2960f-54
> ----
>
> "Instance #1" works as expected, I can see the the packets arriving inside
> the Instance attached to the TAP "tap15f2960f-54".
>
> Also, I can run "tcpdump -c 100 -eni tap15f2960f-54" or "tcpdump -c 100
> -eni brq50721b16-1c" to see the packets.
>
> BUT, my second "Instance #2" doesn't receive the packets!!
>
>
> # "Wire"
>
> If I run "tcpdump -c 100 -eni eth2", I can see both "vlan 100" and "vlan
> 101" packets arriving.
>
> # vlan 100 - okay
> If I run "tcpdump -c 100 -eni brqfac384d5-cd", as I said before, I can see
> the packets.
>
> If I run "tcpdump -c 100 -eni tap47417a6d-3b", as I said before, I can see
> the packets.
>
> # vlan 101 - not okay
> If I run "tcpdump -c 100 -eni brq50721b16-1c", I can see the packets.
>
> If I run "tcpdump -c 100 -eni tap15f2960f-54", BOOM! I am unable to see
> the packets!!
>
> --
>
>
> Why the packets are being dropped between "brq50721b16-1c" and
> "tap15f2960f-54" ???
>
> "ifconfig tap15f2960f-54" shows packets being dropped.
>
> "ifconfig tap47417a6d-3b" shows 0 packets being dropped.
>
>
> I already double checked everything!! Also, I tried to raise txqueue,
> checked ebtabled, iptables... I have no clue about whats going on here...
>
> I really appreciate any help!
>
> Thanks!
> Thiago
> !DSPAM:1,559c69f7301311341913631!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,559c69f7301311341913631!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150708/bb7d51f5/attachment.html>
More information about the Openstack
mailing list