[Openstack] Vlans connect when using nova-compute

Lei Zhang zhang.lei.fly at gmail.com
Wed Apr 16 14:34:05 UTC 2014 

Hi,

I am using nova-network + VlanNetworkManage in Havana (2013.2.2). But I
meet
following issue.

Different tenants can ping each other using fixed ip. I also found  a bug
fixed
commit[1] about this. But it seems not work very well. It add following
rule to the
iptables. (bond1 is the public_interface)

    -A nova-network-FORWARD -i br1000 -o br1000 -j ACCEPT
    -A nova-network-FORWARD -i br1000 -o bond1 -j ACCEPT
    -A nova-network-FORWARD -i br1000 -j DROP
    -A nova-network-FORWARD -o br1000 -j DROP
    -A nova-network-FORWARD -i br1001 -o br1001 -j ACCEPT
    -A nova-network-FORWARD -i br1001 -o bond1 -j ACCEPT
    -A nova-network-FORWARD -i br1001 -j DROP
    -A nova-network-FORWARD -o br1001 -j DROP

It means drop the packages from br1000(tenant A) to br1001(tenant B). But I
still
catch the package from br1000 to br1001 when using ping command.

    $ tcpdump -i br1000 -l -ne icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
    listening on br1000, link-type EN10MB (Ethernet), capture size 65535
bytes
    22:30:46.541275 fa:16:3e:ef:45:75 > fa:16:3e:be:bf:f6, ethertype IPv4
(0x0800), length 98: 10.192.1.13 > 10.192.2.18: ICMP echo request, id 2690,
seq 501, length 64
    22:30:46.541599 fa:16:3e:be:bf:f6 > fa:16:3e:ef:45:75, ethertype IPv4
(0x0800), length 98: 10.192.2.18 > 10.192.1.13: ICMP echo reply, id 2690,
seq 501, length 64


    $ tcpdump -i br1001 -l -ne icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
    listening on br1001, link-type EN10MB (Ethernet), capture size 65535
bytes
    22:31:11.540675 fa:16:3e:b8:92:e6 > fa:16:3e:96:d9:18, ethertype IPv4
(0x0800), length 98: 10.192.1.13 > 10.192.2.18: ICMP echo request, id 2690,
seq 526, length 64
    22:31:11.540937 fa:16:3e:96:d9:18 > fa:16:3e:b8:92:e6, ethertype IPv4
(0x0800), length 98: 10.192.2.18 > 10.192.1.13: ICMP echo reply, id 2690,
seq 526, length 64


​Does anybody can explain and tell me how to fix it?​


[1] https://review.openstack.org/#/c/20362/

-- 
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140416/6ae9d4ce/attachment.html>

More information about the Openstack mailing list