The comment from Kris is correct. In the official openstack guide I believe it is stated to remove any address from the interface attached to br-ex (sudo ip addr del <addr> dev <dev>), not to assign it 0.0.0.0
If the guide says otherwise please open a bug against the relevant doc project. Salvatore On 17 September 2015 at 16:08, Kris G. Lindgren <[email protected]> wrote: > For us on boot, we configure the systems init scripts to bring up br-ext > and plug in the ethernet (or in our case bond) device into the external > bridge. You should look at your specific distro for guidence here. Redhat > based (RHEL/CentOS/Fedora) use: > http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac/ as a > guide. > > We do not assign any ip address to the interface attached to the bridge. > If you assigned 0.0.0.0 netmask 0.0.0.0 you basically assigned every ip > address in ipv4 to your interface, so anything that arps on your network > for an ip address, you server is going to respond say "hey that’s me". > ___________________________________________________________________ > Kris Lindgren > Senior Linux Systems Engineer > GoDaddy > > From: applyhhj > Date: Thursday, September 17, 2015 at 8:55 AM > To: openstack-operators > Subject: [Openstack-operators] Please help!!!!Openvswitch attacked by > ICMP!!!!!!! > > Hi, > > I followed The Guidance and tried to configure openvswitch(OVS) service. I > first created a bridge br-ex and then added eth2 to the bridge. After that > I set the IP of eth2 to 0.0.0.0 and then reboot the system. However br-ex > was not up when system launched. So I turned on br-ex manually and then > restart the network, but br-ex could not get ip from dhcp server. Thus I > used “dhclient br-ex” to manually acquire IP. Well till then everything > worked fine, but in the evening the Network Node was continuously attacked > by ICMP package. Iptraf showed the following messages: > > > > *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on > eth2 > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xxx on eth2 > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xx on > eth2 > * > > *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx > on > eth2 > * > > *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on > eth2 > > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xxx on eth2 > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xx on > eth2 > * > > *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.x on > eth2 > * > > *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.63 on > eth2 > > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xx on > eth2 > * > > *x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to > 166.111.61.xxx on > eth2 > * > > *x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx > on > eth2 > * > > *x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.x on eth2* > > > > My ip is none of the above ones. The download speed in system monitor went > up to 3m/s or even higher to 8m/s. I tried to use iptables and ebtable to > filter icmp packages and also set icmp_echo_ignore_all to drop all icmp > pacakges. But, unfortunately, nothing works. As long as I deleted eth2 from > br-ex or brought down br-ex, the network went back normal.If you have any > idea, please help me. I have been stuck here for several days. Thank you > very much!! > > > > Regards! > > hjh > > > 2015-09-17 > ------------------------------ > applyhhj > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
