Ask Your Question
0

neutron-openvswitch port - how to disable source IP address checking?

asked 2014-10-20 08:33:14 -0500

eupub gravatar image

updated 2014-10-20 09:13:40 -0500

Hi there,

I have implemented icehouse using neutron, openvswitch with ml2. I have deployed a VM acting as VPN client (communicating with VPN server outside Openstack) to route traffic to/from VPN server from other subnets outside of Openstack, and it seems neutron openvswitch doesn't allow packets of different source IP addresses to be routed out of the VM's port other than it's own. Is there a way to disable this behavior?

It seems source IP address is tied to MAC address:

service iptables status

Chain neutron-openvswi-s1eaac794-3 (1 references)

num target prot opt source destination

1 RETURN all -- 172.16.0.48 0.0.0.0/0 MAC FA:16:3E:A0:24:7F

2 DROP all -- 0.0.0.0/0 0.0.0.0/0

There are many drop packets because the source IP address was not 172.16.0.48:

iptables -L -n -v

Chain neutron-openvswi-s1eaac794-3 (1 references)

pkts bytes target prot opt in out source destination

0     0 RETURN     all  --  *      *       172.16.0.48          0.0.0.0/0           MAC FA:16:3E:A0:24:7F

20507 1723K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

I tried around with rules in security groups to allow all but doesn't seem to help at all. I would like the VM (VPN client) to be able to to route out traffic to other VMs on the same subnet (and security group) from different source IP addresses.

Appreciate any inputs soonest & Thks!

Regards, Boon Lee

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-10-21 09:15:52 -0500

vthapar gravatar image

I am not sure if you can disable it without disabling securitygroups/port-security altogether but allowed-address-pairs would be able to solve your problem.

From the manual:

The allowed address pair extension extends the port attribute to enable you to specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass through a port regardless of the subnet associated with the network.

Refer this link for details on how to configure allowed address-pairs:

http://docs.openstack.org/admin-guide-cloud/content/section_allowed_address_pairs_workflow.html (http://docs.openstack.org/admin-guide...)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-10-20 08:33:14 -0500

Seen: 1,544 times

Last updated: Oct 21 '14