Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hello!
well, i am not sure that you will need my answer, but maybe someone other will
The problem is that wds uses DHCP ports to communicate with client, the ports are 68,67 and 4011
And nova don't like any DHCP traffic inside its network besides its own dnsmasq
we could see the requests from client on all interfaces, but replies (from 4011 server port to 68 client port) were blocked on vlan interface on nova-network/compute node

the problem was in ebtables which blocked all traffic on vlan iface for 67 and 68 port:

#ebtables -L
-p IPv4 -o vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP
-p IPv4 -i vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP

when i added rules:

-p IPv4 -i vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT
-p IPv4 -o vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT

WDS started working properly

Hello!
well, i am not sure that you will still need my answer, but maybe someone other will
The problem is that wds uses DHCP ports to communicate with client, the ports are 68,67 and 4011
And nova don't like any DHCP traffic inside its network besides its own dnsmasq
we could see the requests from client on all interfaces, but replies (from 4011 server port to 68 client port) were blocked on vlan interface on nova-network/compute node

the problem was in ebtables which blocked all traffic on vlan iface for 67 and 68 port:

#ebtables -L
-p IPv4 -o vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP
-p IPv4 -i vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP

when i added rules:

-p IPv4 -i vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT
-p IPv4 -o vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT

WDS started working properly

Hello!
well, i am not sure that you still need my answer, but maybe someone other will
The problem is that wds uses DHCP ports to communicate with client, the ports are 68,67 and 4011
And nova don't like any DHCP traffic inside its network besides its own dnsmasq
we could see the requests from client on all interfaces, but replies (from 4011 server port to 68 client port) were blocked on vlan interface on nova-network/compute node

the problem was in ebtables which blocked all traffic on vlan iface for 67 and 68 port:

#ebtables -L
-p IPv4 -o vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP
-p IPv4 -i vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP

when i added rules:

-p IPv4 -i vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT
-p IPv4 -o vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT

WDS started working properly

UPDATE:

sadly, it seems that nova has some kind of scheduler which rewrites ebtables rules even if nova-network wasn't restarted.

we edited source code of nova by adding lines in 2 methods in file /usr/lib/python2.7/dist-packages/nova/network/linux_net.py:
line 1765:

def isolate_dhcp_address(interface, address):
   # block arp traffic to address across the interface
   rules = []
   rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
             % (interface, address))
   rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
             % (interface, address))
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   # NOTE(vish): the above is not possible with iptables/arptables
   ensure_ebtables_rules(rules)


def remove_isolate_dhcp_address(interface, address):
   # block arp traffic to address across the interface
   rules = []
   rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
             % (interface, address))
   rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
             % (interface, address))
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   remove_ebtables_rules(rules)
   # NOTE(vish): the above is not possible with iptables/arptables