<div dir="ltr">I'm using the DVR network scenario described in <a href="http://docs.openstack.org/liberty/networking-guide/scenario-dvr-ovs.html">http://docs.openstack.org/liberty/networking-guide/scenario-dvr-ovs.html</a>. My installation was based on Ubuntu Install guide. <br><br>I've an external network, flat, with public IPs.<br>I've a project with a tenant network and subnet, one virtual router that connects this subnet to the external net. <br><br>I've launched one VM connected to the tenant network (<a href="http://172.16.0.0/24">172.16.0.0/24</a>). The IPs address are (ports on this subnet):<br><br>172.16.0.1 - network:router_interface_distributed<br>172.16.0.2 - network:dhcp<br>172.16.0.5 - compute:nova <- this is the VM<br><br>Then I associated a Floating IP of external network to this VM, lets say A.B.C.D (a public IP address).<br><br>From an external network host I'm trying to ping A.B.C.D. It doesn't work. So, I follow the packet path inside the virtual interfaces and bridges, as shown in attached image. <br><br>On iptables of compute host where this VM is running we can see (summarized):<br><br>FORWARD -> neutron-openvswi-FORWARD -> neutron-openvswi-sg-chain -> neutron-openvswi-i7a7a669c-3 -> neutron-openvswi-sg-fallback -> DROP<br><br>iptables -L -Z -n -v<br><br>iptables -L -n -v<br><br>Chain <b>FORWARD</b> (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br> 24 2016 neutron-openvswi-FORWARD all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br><br>Chain <b>neutron-openvswi-FORWARD</b> (1 references)<br> pkts bytes target prot opt in out source destination <br> 24 2016 neutron-openvswi-sg-chain all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-out tap7a7a669c-3f --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */<br> 0 0 neutron-openvswi-sg-chain all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-in tap7a7a669c-3f --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */<br><br>Chain <b>neutron-openvswi-sg-chain </b>(2 references)<br> pkts bytes target prot opt in out source destination <br> 24 2016 neutron-openvswi-i7a7a669c-3 all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-out tap7a7a669c-3f --physdev-is-bridged /* Jump to the VM specific chain. */<br> 0 0 neutron-openvswi-o7a7a669c-3 all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-in tap7a7a669c-3f --physdev-is-bridged /* Jump to the VM specific chain. */<br> 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br><br>Chain <b>neutron-openvswi-i7a7a669c-3</b> (1 references)<br> pkts bytes target prot opt in out source destination <br> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */<br> 0 0 RETURN udp -- * * 172.16.0.2 <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp spt:67 udp dpt:68<br> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> match-set NIPv43c228055-2735-4339-b9a8- src<br> 0 0 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */<br> 24 2016 <span style="color:rgb(255,0,0)"><b>neutron-openvswi-sg-fallback</b></span> all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* Send unmatched traffic to the fallback chain. */<br><br>Chain<b><span style="color:rgb(255,0,0)"> neutron-openvswi-sg-fallback</span></b> (2 references)<br> pkts bytes target prot opt in out source destination <br> 24 2016 <b><span style="color:rgb(255,0,0)">DROP</span></b> all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* Default drop rule for unmatched traffic. */<br> <br><br>I think that in neutron-openvswi-i7a7a669c-3 should exist some RETURN rule using the 172.16.0.5 IP address. <br><br>Some idea? Is this really a problem (bug?) or am I doing something wrong?<br><br>Thanks for any help!<br><br clear="all"><div><div class="gmail_signature"><div dir="ltr">- JLC</div></div></div>
</div>