cant ping vRouter from other hosts: Destination Host Prohibited

asked 2018-01-04 10:21:23 -0600

Thomas Li gravatar image

updated 2018-01-04 10:47:36 -0600

Hey guys,

i stuck in an other wired problem. I set up pike rdo on latest centos 7, with ip tables because neutron hate firewalld, linuxbridge, 1 externalnet (public)1 internalnet (mgmt, data), 1 api node, 1 networknode and couple computes. I had it running on juno an kilo, but was using network-computenode hybrid in all the releases in between. Created a vrouter (44) and could ping it from the same host but not the others. I dit it in kilo on ovs instead linuxbridge and it worked fine. Doublechecked FW (devsetup)

[root@22 ~]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-linuxbri-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  x.x.x.0/27       anywhere             state NEW tcp
ACCEPT     udp  --  x.x.x.0/27       anywhere
ACCEPT     tcp  --  10.1.1.0/24          anywhere             state NEW tcp
ACCEPT     udp  --  10.1.1.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-linuxbri-local  all  --  anywhere             anywhere

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

but still:

From x.x.x.22 icmp_seq=1 Destination Host Prohibited
l3 is pretty much stock: https://docs.openstack.org/neutron/pi... but later i did and also tested many other configs:
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge = br0
verbose = True
debug = True
use_syslog = True
syslog_log_facility = LOG_LOCAL0
use_namespaces = True
enable_metadata_proxy = True

tcpdump -i br0 |grep -v my_onw_host

15:36:54.608446 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1225, length 64
15:36:54.609838 IP dns.mydomain.domain >  22.mydomain.46497: 57792* 1/4/8 PTR  44.mydomain. (347)
15:37:15.608414 IP  22.mydomain >  11.mydomain: ICMP host  44.mydomain unreachable - admin prohibited, length 92
15:37:15.608431 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1246, length 64
15:37:15 ...
(more)
edit retag flag offensive close merge delete