[Openstack] [neutron] Openstack in openstack the dummy way = troubles (inception teaches)

Antonio Messina antonio.s.messina at gmail.com
Tue May 5 16:19:57 UTC 2015


I rekon this topic is of no interest to the mailing list. I have,
however, found the solution, and I would like to share it with the
rest of the list.

In my case I had two separate issues. One was a missing security rule:

    (cloud)(cred:tutorial)antonio at kenny:~$ neutron
security-group-rule-create --direction ingress --protocol 47 default
    Created a new security_group_rule:
    +-------------------+--------------------------------------+
    | Field             | Value                                |
    +-------------------+--------------------------------------+
    | direction         | ingress                              |
    | ethertype         | IPv4                                 |
    | id                | b5c74385-baab-4321-a4f5-79750f9e9bb3 |
    | port_range_max    |                                      |
    | port_range_min    |                                      |
    | protocol          | 47                                   |
    | remote_group_id   |                                      |
    | remote_ip_prefix  |                                      |
    | security_group_id | db519fbb-956c-4e4c-bcb6-95ae04c49b0a |
    | tenant_id         | 3b8231f6ab974adbbcd838042bbf63bd     |
    +-------------------+--------------------------------------+

    (cloud)(cred:tutorial)antonio at kenny:~$ neutron security-group-rule-list
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | id                                   | security_group |
direction | protocol | remote_ip_prefix | remote_group |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | 1a667321-4898-4aad-ae62-24cccddba2ae | default        | ingress
 | tcp      | 0.0.0.0/0        |              |
    | 1fbc5e11-0dfe-46f1-8183-826912a100b1 | default        | ingress
 | udp      | 0.0.0.0/0        |              |
    | 21c8eba7-9469-4a8b-af78-f691f0adab56 | default        | ingress
 |          |                  | default      |
    | 9b7792d1-1e91-43e9-a45d-dbe1541d278b | default        | ingress
 | tcp      | 0.0.0.0/0        |              |
    | b0f3e4e9-5cc8-484c-a190-e2e421698ca8 | default        | egress
 |          |                  |              |
    | b5c74385-baab-4321-a4f5-79750f9e9bb3 | default        | ingress
 | 47       |                  |              |
    | d7601656-2849-4d69-a4a8-6d8dc1380808 | default        | ingress
 |          |                  | default      |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+

`47` is the ip protocol number for GRE[1]

The second issue is probably specific to iptables and/or Ubuntu (I am
running Ubuntu Trusty with kernel 3.16.0-34-generic). For some
reasons, even if the iptables rule was added:

    Chain neutron-openvswi-ie4c61512-8 (1 references)
    num  target     prot opt source               destination
    1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
state INVALID
    2    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED
    3    RETURN     udp  --  172.23.3.0           0.0.0.0/0
udp spt:67 dpt:68
    4    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0
tcp multiport dports 1:65000
    5    RETURN     udp  --  0.0.0.0/0            0.0.0.0/0
udp multiport dports 1:65000
    6    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0
tcp dpt:22
    7    RETURN     47   --  0.0.0.0/0            0.0.0.0/0
    8    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
match-set IPv4db519fbb-956c-4e4c-b src
    9    neutron-openvswi-sg-fallback  all  --  0.0.0.0/0
0.0.0.0/0

GRE packets were still dropped by the first rule: "-m state --state
INVALID". The reason is that module `nf_conntrack_proto_gre` was
**not** loaded, and apparently with recent kernels[2][3] a packet is
marked as "INVALID" if the corresponding module is not loaded.

Loading the module and setting the proper security group rule was
enough for me to allow GRE traffic to work.

Cheers,
Antonio

[1]: http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
[2]: http://www.spinics.net/lists/netfilter/msg55920.html
[3]: although [2] is talking about different behavior between 3.17 and
     3.18, I have with my 3.16 kernel the same behavior described for
     3.18. I haven't investigate further though, and probably wont.

-- 
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland




More information about the Openstack mailing list