[Openstack] Please help!!!!Openvswitch attacked by ICMP!!!!!!!

Erdősi Péter fazy at niif.hu
Thu Sep 17 18:05:37 UTC 2015

2015.09.17. 17:55 keltezéssel, applyhhj írta:
> I am using ubuntu 15.04 and I am following Guidance for ubuntu 14.04. 
> Configuration for eth2 is:
> # external network interface
> auto eth2
> iface eth2 inet manual
>         up ip link set dev $IFACE up
>         down ip link set dev $IFACE down
> By the way ther is no ip in eth2 after bridging it to br-ex.
It's totally normal... you do not need IP to br-ex, or eth2...
Try to imagine this:

You have a (virtual) switch, and you have ports on that...
Your goal is, give internet access to machines, which "plugged" on this 
ports in the switch...

In the real life, you have to use an "uplink" port, where packet goes, 
when the other machine is not directly connected to switch...

The eth2 - br-ex situation is all the same... You have a switch, and 
your uplink connection will be the eth2 interface the port is the br-ex, 
and you put it togather, which does not require any layer 3 setup, only 
the L2... (port is up, and capable to forward ethernet frames)
That's why you only pull up the interface without IP address, cause 
nobody never needs direct connection from eth2 to neutron host (you 
possibly have management network for that)

Overall, i think, your configuration is good with eth2 and br-ex, 
without IP...

If I were you, I start to check traffic on all interface (on network 
node, and qrouters also) and figure out, how this packet came from, and 
what they want to reach... (not based on IP, only follow the ICMP 
traffic path with tcpdump)

For example:
If your packets goes from/to Internet from/to any VM, you must see 
traffic on eth2 and br-ex, and that traffic also can be found in one of 
the qrouters, and somewhere beetween compute and neutron node (based on 
isolation, what you choosen before)

Start a few tcpdump, and track it down :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150917/cd307107/attachment.html>

More information about the Openstack mailing list