After checking it with Rodolfo help, I can check that it is fixed in the lass queens(13) version. The fix that solve this issue is:
https://review.openstack.org/#/c/568907/1 ** Changed in: neutron Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1795432 Title: neutron does not create the necessary iptables rules for dhcp agents when linuxbridge is used Status in neutron: Fix Released Bug description: Reproduction: Create a enviroment with controller and compute in different hosts: controller: [root@controller1 ~]# brctl show bridge name bridge id STP enabled interfaces brq37841a31-d7 8000.0a7e069299a3 no tap80087b5b-33 tap94526e09-2c vxlan-46 brqbab8fb94-c8 8000.1275449f51ef no eth3 tap4baecbed-83 tap8924b588-55 [root@controller1 ~]# ip netns qrouter-bcb8c407-ab4c-4916-89a5-d1ba8ac786ae (id: 2) qdhcp-37841a31-d744-4c9f-b084-37cfaafe71ca (id: 1) qdhcp-bab8fb94-c849-4c6c-ada7-98ec9bc33b87 (id: 0) Compute host: [root@compute1 ~]# brctl show bridge name bridge id STP enabled interfaces brq37841a31-d7 8000.5e530dd5073b no tap171ccdb9-66 vxlan-46 brqbab8fb94-c8 8000.525400fec4c7 no eth3 tap80b3e489-a6 tapfec914c0-0e virbr0 8000.525400ed85d9 yes virbr0-nic [root@compute1 ~]# virsh list Id Name State ---------------------------------------------------- 28 instance-0000002f running 39 instance-00000044 running 41 instance-00000047 running Then when dhcp namespace and vms are in different hosts, dhcp traffic(in provider and selfservice network mode) is dropped in the controller bridge. Because no rule for permiting that the dhcp reply goes out of the controller: Iptables: -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap94526e09-2c --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap8924b588-55 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT interfaces: [root@controller1 ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 52:54:00:d6:e9:8f brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 52:54:00:7a:23:a5 brd ff:ff:ff:ff:ff:ff 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 52:54:00:5f:07:d9 brd ff:ff:ff:ff:ff:ff 28: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000 link/ether 52:54:00:b2:b7:bc brd ff:ff:ff:ff:ff:ff 30: tap4baecbed-83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000 link/ether c6:e3:d5:e8:49:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0 31: brqbab8fb94-c8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff 32: tap80087b5b-33@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000 link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 1 33: vxlan-46: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 92:6d:dd:cd:ab:43 brd ff:ff:ff:ff:ff:ff 34: brq37841a31-d7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0a:7e:06:92:99:a3 brd ff:ff:ff:ff:ff:ff 35: tap94526e09-2c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master brq37841a31-d7 state UP mode DEFAULT group default qlen 1000 link/ether fe:a4:58:9e:52:2f brd ff:ff:ff:ff:ff:ff link-netnsid 2 36: tap8924b588-55@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brqbab8fb94-c8 state UP mode DEFAULT group default qlen 1000 link/ether 12:75:44:9f:51:ef brd ff:ff:ff:ff:ff:ff link-netnsid 2 Only rules for the tap ports. It is necessary add rules to permit dhcp traffic between hosts, for example permit dhcp ports as dev-in: -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap4baecbed-83 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap80087b5b-33 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT This bug is other scenario of bug: https://bugs.launchpad.net/neutron/+bug/1720205 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1795432/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp