[openstack-dev] Problem with nova add-fixed-ip or quantum port-update

Eugene Nikanorov enikanorov at mirantis.com
Sat Jul 27 18:43:35 UTC 2013 

Hi John,

Can you take a look at https://bugs.launchpad.net/neutron/+bug/1190613 ?
Looks like the exact issue you're talking about and it was fixed just
recently.

Thanks,
Eugene.


On Sat, Jul 27, 2013 at 10:22 PM, John Gruber <john.t.gruber at gmail.com>wrote:

>
> So I got it work, but I need guidance from the OVS iptables gang on what
> the reasoning was and how I fix it in a 'compliant' manner.
>
> Q.  Why are the iptables rules on the OVS output chains for the interfaces
> written as if the vif should only have ONE IP address assign where quantum
> can assign multiple fixedips?
>
> For the example where IP address 10.0.60.20 was assigned to my guest VM on
> an external interface and assign at boot, and then I added 10.0.60.22 via
> nova --add-fixed-ip vm-uuid net-uuid...
>
> Here is what I had in my iptables rules after adding the second fixedip:
>
> iptables -L quantum-openvswi-o8a508818-0 --line-numbers
> Chain quantum-openvswi-o8a508818-0 (2 references)
> num  target     prot opt source               destination
> 1    DROP       all  --  anywhere             anywhere             MAC !
> FA:16:3E:41:6B:15
> 2    RETURN     udp  --  anywhere             anywhere             udp
> spt:bootpc dpt:bootps
> *3    DROP       all  -- !10.0.62.20           anywhere
> 4    DROP       all  -- !10.0.62.22           anywhere
> *5    DROP       udp  --  anywhere             anywhere             udp
> spt:bootps dpt:bootpc
> 6    DROP       all  --  anywhere             anywhere             state
> INVALID
> 7    RETURN     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED
> 8    RETURN     all  --  anywhere             anywhere
> 9    quantum-openvswi-sg-fallback  all  --  anywhere
> anywhere
>
>
> This obviously will not work.  The rules shadow each other and cut off all
> outbound access from the guest VM on that network.  Which is exactly what I
> was observing..
>
> Running: iptables -D quantum-openvswi-o8a508818-0 4
>
> And my access to 10.0.62.20 came back...
>
> Running iptables -D quantum-openvswi-o8a508818-0 3
>
> And my access to 10.0.62.22 started working...
>
>
> Please tell me we did not intend to create a cloud where quantum has no
> problems assigning multiple fixed IPs to a port, but iptables will eat them
> all up! <g> Oh the humanity...
>
> I know how to make it work and can hunt down the iptables root wrapper
> command, but what should we do for this? I could not find an existing bug..
>
> John
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130727/b89ad48b/attachment.html>

More information about the OpenStack-dev mailing list