[Openstack] Please help!!!!Openvswitch attacked by ICMP!!!!!!!

applyhhj applyhhj at 163.com
Fri Sep 18 02:09:39 UTC 2015

Thank you for your reply. One more thing, I actually use "dhclient br-ex" to get ip from dhcp server of our campus network. Is it ok to do so? Because some people think I should not assign IP to the br-ex bridge. But in this case, the whole openstack network is not able to access to the outside internet. 




发件人:Erdősi Péter <fazy at niif.hu>
发送时间:2015-09-18 02:05
主题:Re: [Openstack] Please help!!!!Openvswitch attacked by ICMP!!!!!!!
收件人:"applyhhj"<applyhhj at 163.com>,"openstack"<openstack at lists.openstack.org>

2015.09.17. 17:55 keltezéssel, applyhhj írta:

I am using ubuntu 15.04 and I am following Guidance for ubuntu 14.04. Configuration for eth2 is:

# external network interface
auto eth2
iface eth2 inet manual
        up ip link set dev $IFACE up
        down ip link set dev $IFACE down

By the way ther is no ip in eth2 after bridging it to br-ex.
It's totally normal... you do not need IP to br-ex, or eth2...
Try to imagine this:

You have a (virtual) switch, and you have ports on that...
Your goal is, give internet access to machines, which "plugged" on this ports in the switch...

In the real life, you have to use an "uplink" port, where packet goes, when the other machine is not directly connected to switch...

The eth2 - br-ex situation is all the same... You have a switch, and your uplink connection will be the eth2 interface the port is the br-ex, and you put it togather, which does not require any layer 3 setup, only the L2... (port is up, and capable to forward ethernet frames)
That's why you only pull up the interface without IP address, cause nobody never needs direct connection from eth2 to neutron host (you possibly have management network for that)

Overall, i think, your configuration is good with eth2 and br-ex, without IP...

If I were you, I start to check traffic on all interface (on network node, and qrouters also) and figure out, how this packet came from, and what they want to reach... (not based on IP, only follow the ICMP traffic path with tcpdump)

For example:
If your packets goes from/to Internet from/to any VM, you must see traffic on eth2 and br-ex, and that traffic also can be found in one of the qrouters, and somewhere beetween compute and neutron node (based on isolation, what you choosen before)

Start a few tcpdump, and track it down :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150918/398eb684/attachment.html>

More information about the Openstack mailing list