Public bug reported: Version: pike openstack-neutron-11.0.0-3.el7
Config: according to https://docs.openstack.org/neutron/pike/install/install-rdo.html ml2 linuxbridge vxlan neutron creates rules in neutron-linuxbri-FORWARD chain only for compute ports but router and dhcp ports have no mention at all. So router and dhcp traffic remains within host bridge. Expected: neutron creates rules like -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged for all agents ports in bridge. # iptables-save # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *nat :PREROUTING ACCEPT [23760:1495817] :INPUT ACCEPT [22739:1402147] :OUTPUT ACCEPT [1778:116606] :POSTROUTING ACCEPT [2260:170214] COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *mangle :PREROUTING ACCEPT [922003:1129881715] :INPUT ACCEPT [906034:1128976690] :FORWARD ACCEPT [20488:1851370] :OUTPUT ACCEPT [774093:3908358570] :POSTROUTING ACCEPT [793969:3910141934] COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *raw :PREROUTING ACCEPT [922261:1129974352] :OUTPUT ACCEPT [774348:3908396136] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A OUTPUT -j neutron-linuxbri-OUTPUT COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27196:421070402] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-INPUT -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Thu Sep 28 18:16:57 2017 # brctl show bridge name bridge id STP enabled interfaces brq76f218a0-55 8000.1a1da1c5730b no tap5015bfe4-c5 tapa6d0f381-b7 tapb48c914e-20 vxlan-1006 brq8856ee40-24 8000.921ccb87ce25 no tap8d487e05-d8 vxlan-1043 ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1720205 Title: neutron does not create the necessary iptables rules for l3 and dhcp agents when linuxbridge used Status in neutron: New Bug description: Version: pike openstack-neutron-11.0.0-3.el7 Config: according to https://docs.openstack.org/neutron/pike/install/install-rdo.html ml2 linuxbridge vxlan neutron creates rules in neutron-linuxbri-FORWARD chain only for compute ports but router and dhcp ports have no mention at all. So router and dhcp traffic remains within host bridge. Expected: neutron creates rules like -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged for all agents ports in bridge. # iptables-save # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *nat :PREROUTING ACCEPT [23760:1495817] :INPUT ACCEPT [22739:1402147] :OUTPUT ACCEPT [1778:116606] :POSTROUTING ACCEPT [2260:170214] COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *mangle :PREROUTING ACCEPT [922003:1129881715] :INPUT ACCEPT [906034:1128976690] :FORWARD ACCEPT [20488:1851370] :OUTPUT ACCEPT [774093:3908358570] :POSTROUTING ACCEPT [793969:3910141934] COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *raw :PREROUTING ACCEPT [922261:1129974352] :OUTPUT ACCEPT [774348:3908396136] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-PREROUTING - [0:0] -A PREROUTING -j neutron-linuxbri-PREROUTING -A OUTPUT -j neutron-linuxbri-OUTPUT COMMIT # Completed on Thu Sep 28 18:16:57 2017 # Generated by iptables-save v1.4.21 on Thu Sep 28 18:16:57 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [27196:421070402] :neutron-filter-top - [0:0] :neutron-linuxbri-FORWARD - [0:0] :neutron-linuxbri-INPUT - [0:0] :neutron-linuxbri-OUTPUT - [0:0] :neutron-linuxbri-local - [0:0] :neutron-linuxbri-sg-chain - [0:0] :neutron-linuxbri-sg-fallback - [0:0] -A INPUT -j neutron-linuxbri-INPUT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-linuxbri-FORWARD -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-linuxbri-OUTPUT -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-INPUT -m physdev --physdev-in tapb48c914e-20 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP COMMIT # Completed on Thu Sep 28 18:16:57 2017 # brctl show bridge name bridge id STP enabled interfaces brq76f218a0-55 8000.1a1da1c5730b no tap5015bfe4-c5 tapa6d0f381-b7 tapb48c914e-20 vxlan-1006 brq8856ee40-24 8000.921ccb87ce25 no tap8d487e05-d8 vxlan-1043 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1720205/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp