Ask Your Question
0

Custom open vSwitch setup drops packets behind interface

asked 2016-04-01 07:02:43 -0500

Bene gravatar image

Hi there,

I have following Setup:
Networks:
Net_1: 192.168.1.0/24
Net_2: 192.168.2.0/24

VMs (all running ubuntu 14.04):
switch:
intf eth2 = 192.168.1.4
intf eth3 = 192.168.2.4
VM One:
intf eth1 = 192.168.1.5
VM Two:
intf eth1 = 192.168.2.5

The switch-VM is hosting an open vSwitch in fail-mode: secure. I added following flow rules:

NXST_FLOW reply (xid=0x4):
cookie=0x0, ..., priority=10,in_port=3 actions=output:2
cookie=0x0, ..., priority=10,in_port=2 actions=output:3

I want to allow the two VMs (One and Two) to communicate with each other for testing purposes. So i try to ping One -> Two

The Problem now is that the ICMP echo request, sent from Vm One, goes through the switch (->eth1 -> eth3 ->) and is dropped behind eth3. So it never reaches VM Two. I guess this is because the interface eth3 has IP 192.168.2.4 but my request comes from IP 192.168.1.5. It seems like openStack is dropping every packet behind eth3 (and vice versa) that hast not the interfaces IP as source address. I think this is some sort of security behavior of openStack. Is it possible to allow sending out packets over an interface with a source IP not being the interfaces IP?

I hope someone can help me with this issue.

Btw. Arp is working just well.

ubuntu@one:~$ arp -a
...
? (192.168.2.5) at fa:16:3e:37:24:79 [ether] on eth1
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-04-21 09:45:31 -0500

Bene gravatar image

updated 2016-04-21 09:46:39 -0500

Hi,

I found the mistake. If you want to send a packet through an interface/port and this packet has an ip/mac different from the interface/port one, you need to provide a new ip/mac pair to the interface/port settings. You can to this either with python-neutronclient or by using the REST api.
Rest example:
REST Endpoint for updating a port:
URL:neutronPort/v2.0/ports/<port-id>
JSON-Body:

{
    "port": {
        "allowed_address_pairs" : [
            {"ip_address": "192.168.100.2","mac_address": "fa:16:3e:ec:48:9b"}
        ]
    }
}
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-04-01 06:32:14 -0500

Seen: 204 times

Last updated: Apr 21 '16