Ask Your Question
2

igmp queries are blocked somewhere between bridge and tap?

asked 2014-04-04 10:56:44 -0600

jan.krause gravatar image

updated 2014-04-09 10:07:34 -0600

we have an virtual openswitch router, which we are using to communicate from our virtual vm“s to an external network, currently unicast based into the vms. now we wanna switch to multicast.

i was able to setup an multicast router in the netns, so that we are able to join an multicast group from the vms into the right switch over the router. but this runs into an timeout, because the impg queries are not available in the netns.

is there an way to manage this?

10.200.2.0/24 dev qg-552ffdec-c1  proto kernel  scope link  src 10.200.2.2 
10.200.3.0/24 dev qr-f46ee891-ec  proto kernel  scope link  src 10.200.3.1

is see:

 17:42:24.710978 IP 10.200.2.2 > 224.0.0.1: igmp query v2

but inside the vm there is no query, only initial three igmp reports

 15:53:37.084064 IP 10.200.3.17 > 238.2.48.3: igmp v2 report 238.2.48.3

We see the traffic on the qbr interface, but the queries are blocked somehow. there are not forwarded to the tap device on the virtual machine.

we set the querier for the qbr to 1. and set the rules for libvirt network filter, but still no success.

Edit:

Actually we broke down the problem to the igmp query part. when we send igmp queries from one virtual instance to the network we will not recieve them on the other instances:

we see the igmp queries on the linux bridge device:

 tcpdump -v -n -i qbrd4d83fa8-d5 igmp

but not on the tap device:

tcpdump -v -n -i tapd4d83fa8-d5 igmp

we are using kvm.

we added:

echo 1 >> /sys/devices/virtual/net/qbrd4d83fa8-d5/bridge/multicast_querier

on the bridge, and did no changes on the virsh network filter yet.

some system informations:

Linux compute007 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

and

bridge-utils  1.5-2ubuntu7 Utilities for configuring the Linux Ethernet bridge

for any hint, i would be thankful.

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
2

answered 2014-08-29 12:11:24 -0600

cnkcb gravatar image

Add a firewall rule to allow IGMP protocol;

In Havana/Horizon Access & Security, edit default rules and add a new rule;

  • Rule: Other Protocol
  • Direction: Ingress
  • IP Protocol: 2
  • Remote: CIDR
  • CIDR: 0.0.0.0/0
edit flag offensive delete link more
0

answered 2014-04-10 01:25:36 -0600

SGPJ gravatar image

You need to disable anti-ip-spoofing to go through to VM. You can follow link: http://docs.openstack.org/havana/inst...

and in comments section, it has mentioned how to configure.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-04-04 10:56:44 -0600

Seen: 2,179 times

Last updated: Aug 29 '14