Open Stack

The comment from Kris is correct.
In the official openstack guide I believe it is stated to remove any
address from the interface attached to br-ex (sudo ip addr del <addr> dev
<dev>), not to assign it 0.0.0.0

If the guide says otherwise please open a bug against the relevant doc
project.

Salvatore



On 17 September 2015 at 16:08, Kris G. Lindgren <klindgren at godaddy.com>
wrote:

> For us on boot, we configure the systems init scripts to bring up br-ext
> and plug in the ethernet (or in our case bond) device into the external
> bridge.  You should look at your specific distro for guidence here.  Redhat
> based (RHEL/CentOS/Fedora) use:
> http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac/ as a
> guide.
>
> We do not assign any ip address to the interface attached to the bridge.
> If you assigned 0.0.0.0 netmask 0.0.0.0 you basically assigned every ip
> address in ipv4 to your interface, so anything that arps on your network
> for an ip address, you server is going to respond say "hey that’s me".
> ___________________________________________________________________
> Kris Lindgren
> Senior Linux Systems Engineer
> GoDaddy
>
> From: applyhhj
> Date: Thursday, September 17, 2015 at 8:55 AM
> To: openstack-operators
> Subject: [Openstack-operators] Please help!!!!Openvswitch attacked by
> ICMP!!!!!!!
>
> Hi,
>
> I followed The Guidance and tried to configure openvswitch(OVS) service. I
> first created a bridge br-ex and then added eth2 to the bridge. After that
> I set the IP of eth2 to 0.0.0.0 and then reboot the system. However br-ex
> was not up when system launched. So I turned on br-ex manually and then
> restart the network, but br-ex could not get ip from dhcp server. Thus I
> used “dhclient br-ex” to manually acquire IP. Well till then everything
> worked fine, but in the evening the Network Node was continuously attacked
> by ICMP package. Iptraf showed the following messages:
>
>
>
> *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on
> eth2
> *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xxx on eth2
>                                                     *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xx on
> eth2
> *
>
> *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx
> on
> eth2
> *
>
> *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on
> eth2
>                                                                                                               *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xxx on eth2
>                                             *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xx on
> eth2
> *
>
> *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.x on
> eth2
> *
>
> *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.63 on
> eth2
>                                                                                                       *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xx on
> eth2
>                                     *
>
> *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to
> 166.111.61.xxx on
> eth2
> *
>
> *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx
> on
> eth2
> *
>
> *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.x on eth2*
>
>
>
> My ip is none of the above ones. The download speed in system monitor went
> up to 3m/s or even higher to 8m/s. I tried to use iptables and ebtable to
> filter icmp packages and also set icmp_echo_ignore_all to drop all icmp
> pacakges. But, unfortunately, nothing works. As long as I deleted eth2 from
> br-ex or brought down br-ex, the network went back normal.If you have any
> idea, please help me. I have been stuck here for several days. Thank you
> very much!!
>
>
>
> Regards!
>
> hjh
>
>
> 2015-09-17
> ------------------------------
> applyhhj
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150921/06d9e9c2/attachment.html>