multicast packed dropped by iptables

asked 2015-07-02 19:33:49 -0600

nakul gravatar image

updated 2015-07-03 01:54:49 -0600

uts9 gravatar image

I have a system with one controller,one neutron and one compute node.I am using linuxbridge as mechanism plugins instead of ovs. I have created a vm with port x. I have disabled anit spoofing on port x ( by address pair mapping). I have also allowed all tcp and udp traffic to be forwarded. The multicast packets are being droped by the linux bridge. Below is the iptables for the corresponding port x:

-A neutron-linuxbri-s68c64dd6-6 -s 0.0.0.0/1 -m mac --mac-source FA:16:3E:69:0F:6F -j RETURN

-A neutron-linuxbri-s68c64dd6-6 -s 90.10.6.1/32 -m mac --mac-source FA:16:3E:69:0F:6F -j RETURN

-A neutron-linuxbri-s68c64dd6-6 -j DROP

-A neutron-linuxbri-o68c64dd6-6 -p udp -m udp --sport 68 --dport 67 -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -j neutron-linuxbri-s68c64dd6-6

-A neutron-linuxbri-o68c64dd6-6 -p udp -m udp --sport 67 --dport 68 -j DROP

-A neutron-linuxbri-o68c64dd6-6 -m state --state INVALID -j DROP

-A neutron-linuxbri-o68c64dd6-6 -m state --state RELATED,ESTABLISHED -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -p udp -m udp -m multiport --dports 1:65535 -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -p icmp -j RETURN

-A neutron-linuxbri-o68c64dd6-6 -j neutron-linuxbri-sg-fallback

When I disable iptables than the multicast packes get forwarded. Is there a config required for multicat packets?

edit retag flag offensive close merge delete

Comments

how are you doing the multicast test?

darragh-oreilly gravatar imagedarragh-oreilly ( 2015-07-03 00:50:35 -0600 )edit

I have 2 vms runnning on differen compute nodes and they are sending multicast packets to each other. I am running ospf protocol between them

nakul gravatar imagenakul ( 2015-07-06 18:20:11 -0600 )edit

don't see any ingress rules

darragh-oreilly gravatar imagedarragh-oreilly ( 2015-07-07 01:12:12 -0600 )edit