Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Cant Ping vRouter from other Hosts: Destination Host Prohibited

Hey guys,

i stuck in an other wired problem. I set up Ocata RDO on latest Centos 7, with ip tables because neutron hate firewalld, linuxbridge, 1 externalnet (public)1 internalnet (mgmt, data), 1 api node, 1 networknode and couple computes. I had it running on juno an kilo, but was using network-computenode hybrid in all the releases in between. Created a vrouter (44) and could ping it from the same host but not the others. I dit it in kilo on ovs instead linuxbridge and it worked fine. Doublechecked FW (devsetup)

[root@22 ~]# iptables -L

Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- x.x.x.0/27 anywhere state NEW tcp ACCEPT udp -- x.x.x.0/27 anywhere ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp ACCEPT udp -- 10.1.1.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootpc

Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere

Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination

Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination

Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination

Chain neutron-linuxbri-local (1 references) target prot opt source destination

Chain neutron-linuxbri-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere

Chain neutron-linuxbri-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */

  • but still:

From x.x.x.22 icmp_seq=1 Destination Host Prohibited

  • l3 is pretty much stock:

https://docs.openstack.org/neutron/pike/install/controller-install-option2-rdo.html

  • but later i did and tested many other configs:

[DEFAULT] interface_driver = linuxbridge external_network_bridge = br0 verbose = True debug = True use_syslog = True syslog_log_facility = LOG_LOCAL0 use_namespaces = True enable_metadata_proxy = True

tcpdump -i br0 |grep -v my_onw_host

15:36:54.608446 IP 11.mydomain > 44.mydomain: ICMP echo request, id 5079, seq 1225, length 64 15:36:54.609838 IP dns.mydomain.domain > 22.mydomain.46497: 57792* 1/4/8 PTR 44.mydomain. (347) 15:37:15.608414 IP 22.mydomain > 11.mydomain: ICMP host 44.mydomain unreachable - admin prohibited, length 92 15:37:15.608431 IP 11.mydomain > 44.mydomain: ICMP echo request, id 5079, seq 1246, length 64 15:37:15.612226 ARP, Request who-has 44.mydomain tell 11.mydomain, length 46 15:37:15.612268 ARP, Reply 44.mydomain is-at xx:xx:xx:xx:xx:10 (oui Unknown), length 28 15:37:16.608344 IP 22.domain > 11.mydomain: ICMP host 44.mydomain unreachable - admin prohibited, length 92 15:37:16.608362 IP 11.domain > 44.mydomain: ICMP echo request, id 5079, seq 1247, length 64

tail -f /var/log/neutron/l3-agent.log has nothing

2018-01-04 15:34:33.762 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qr-e72292a2-0f', '-c', '1', '-w', '1.5', '192.168.0.1'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:34:34.029 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-U', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', '1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:34:34.058 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', 1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:35:08.192 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks/usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 2018-01-04 15:35:22.850 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:35:22.852 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.003s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:35:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:35:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:35:48.197 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 2018-01-04 15:36:22.862 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:36:22.864 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.002s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:36:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:36:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:36:28.202 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 …

(neutron) router-show demorouter

+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | availability_zone_hints | | | availability_zones | nova | | created_at | 2017-12-11T10:19:23Z | | description | | | distributed | False | | external_gateway_info | {"network_id": "f6b716ad-3727-4a2e-aa14-e6a85bd4cdc2", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "22bdd4d4-6fae-45b2-a9d8-8aff3025ccdd", "ip_address": "x.x.x.44"}, {"subnet_id": "60708f6f-ce03-4aa9-9050-b9806189f1b0", "ip_address": "x:x:x:x:x:x:x:2084"}]} | | flavor_id | | | ha | False | | id | b181f8f8-9ef8-4f16-83e7-dd4644e0f824 | | name | demorouter | | project_id | d939a9b2760946cf9aba1bd276c5cff3 | | revision_number | 3 | | routes | | | status | ACTIVE | | tags | | | tenant_id | d939a9b2760946cf9aba1bd276c5cff3 | | updated_at | 2017-12-11T10:26:37Z | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Cant Ping vRouter from other Hosts: Destination Host Prohibited

Hey guys,

i stuck in an other wired problem. I set up Ocata RDO on latest Centos 7, with ip tables because neutron hate firewalld, linuxbridge, 1 externalnet (public)1 internalnet (mgmt, data), 1 api node, 1 networknode and couple computes. I had it running on juno an kilo, but was using network-computenode hybrid in all the releases in between. Created a vrouter (44) and could ping it from the same host but not the others. I dit it in kilo on ovs instead linuxbridge and it worked fine. Doublechecked FW (devsetup)

[root@22 ~]# iptables -L

Chain INPUT (policy ACCEPT) target prot opt source destination neutron-linuxbri-INPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- x.x.x.0/27 anywhere state NEW tcp ACCEPT udp -- x.x.x.0/27 anywhere ACCEPT tcp -- 10.1.1.0/24 anywhere state NEW tcp ACCEPT udp -- 10.1.1.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootpc

Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere

Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination

Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination

Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination

Chain neutron-linuxbri-local (1 references) target prot opt source destination

Chain neutron-linuxbri-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere

Chain neutron-linuxbri-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */

  • but still:

From x.x.x.22 icmp_seq=1 Destination Host Prohibited

  • l3 is pretty much stock:

https://docs.openstack.org/neutron/pike/install/controller-install-option2-rdo.html

  • but later i did and tested many other configs:

[DEFAULT] interface_driver = linuxbridge external_network_bridge = br0 verbose = True debug = True use_syslog = True syslog_log_facility = LOG_LOCAL0 use_namespaces = True enable_metadata_proxy = True

tcpdump -i br0 |grep -v my_onw_host

15:36:54.608446 IP 11.mydomain > 44.mydomain: ICMP echo request, id 5079, seq 1225, length 64 15:36:54.609838 IP dns.mydomain.domain > 22.mydomain.46497: 57792* 1/4/8 PTR 44.mydomain. (347) 15:37:15.608414 IP 22.mydomain > 11.mydomain: ICMP host 44.mydomain unreachable - admin prohibited, length 92 15:37:15.608431 IP 11.mydomain > 44.mydomain: ICMP echo request, id 5079, seq 1246, length 64 15:37:15.612226 ARP, Request who-has 44.mydomain tell 11.mydomain, length 46 15:37:15.612268 ARP, Reply 44.mydomain is-at xx:xx:xx:xx:xx:10 (oui Unknown), length 28 15:37:16.608344 IP 22.domain > 11.mydomain: ICMP host 44.mydomain unreachable - admin prohibited, length 92 15:37:16.608362 IP 11.domain > 44.mydomain: ICMP echo request, id 5079, seq 1247, length 64

tail -f /var/log/neutron/l3-agent.log has nothing

2018-01-04 15:34:33.762 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qr-e72292a2-0f', '-c', '1', '-w', '1.5', '192.168.0.1'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:34:34.029 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-U', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', '1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:34:34.058 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', 1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108 2018-01-04 15:35:08.192 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks/usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 2018-01-04 15:35:22.850 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:35:22.852 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.003s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:35:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:35:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:35:48.197 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 2018-01-04 15:36:22.862 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:36:22.864 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.002s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:36:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270 2018-01-04 15:36:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282 2018-01-04 15:36:28.202 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215 …

(neutron) router-show demorouter

+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | availability_zone_hints | | | availability_zones | nova | | created_at | 2017-12-11T10:19:23Z | | description | | | distributed | False | | external_gateway_info | {"network_id": "f6b716ad-3727-4a2e-aa14-e6a85bd4cdc2", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "22bdd4d4-6fae-45b2-a9d8-8aff3025ccdd", "ip_address": "x.x.x.44"}, {"subnet_id": "60708f6f-ce03-4aa9-9050-b9806189f1b0", "ip_address": "x:x:x:x:x:x:x:2084"}]} | | flavor_id | | | ha | False | | id | b181f8f8-9ef8-4f16-83e7-dd4644e0f824 | | name | demorouter | | project_id | d939a9b2760946cf9aba1bd276c5cff3 | | revision_number | 3 | | routes | | | status | ACTIVE | | tags | | | tenant_id | d939a9b2760946cf9aba1bd276c5cff3 | | updated_at | 2017-12-11T10:26:37Z | +-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Cant Ping cant ping vRouter from other Hosts: hosts: Destination Host Prohibited

Hey guys,

i stuck in an other wired problem. I set up Ocata RDO pike rdo on latest Centos centos 7, with ip tables because neutron hate firewalld, linuxbridge, 1 externalnet (public)1 internalnet (mgmt, data), 1 api node, 1 networknode and couple computes. I had it running on juno an kilo, but was using network-computenode hybrid in all the releases in between. Created a vrouter (44) and could ping it from the same host but not the others. I dit it in kilo on ovs instead linuxbridge and it worked fine. Doublechecked FW (devsetup)

[root@22 ~]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-linuxbri-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  x.x.x.0/27       anywhere             state NEW tcp
ACCEPT     udp  --  x.x.x.0/27       anywhere
ACCEPT     tcp  --  10.1.1.0/24          anywhere             state NEW tcp
ACCEPT     udp  --  10.1.1.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-linuxbri-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:bootpc

dpt:bootpc

Chain neutron-filter-top (2 references) target prot opt source destination neutron-linuxbri-local all -- anywhere anywhere

anywhere

Chain neutron-linuxbri-FORWARD (1 references) target prot opt source destination

destination

Chain neutron-linuxbri-INPUT (1 references) target prot opt source destination

destination

Chain neutron-linuxbri-OUTPUT (1 references) target prot opt source destination

destination

Chain neutron-linuxbri-local (1 references) target prot opt source destination

destination

Chain neutron-linuxbri-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere

anywhere

Chain neutron-linuxbri-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */*/

but still:

  • but still:

From x.x.x.22 icmp_seq=1 Destination Host Prohibited

  • l3 is pretty much stock:
stock:

https://docs.openstack.org/neutron/pike/install/controller-install-option2-rdo.html

https://docs.openstack.org/neutron/pike/install/controller-install-option2-rdo.html
  • but later i did and also tested many other configs:
  • configs:

[DEFAULT]
interface_driver = linuxbridge
external_network_bridge = br0
verbose = True
debug = True
use_syslog = True
syslog_log_facility = LOG_LOCAL0
use_namespaces = True
enable_metadata_proxy = True

True

tcpdump -i br0 |grep -v my_onw_host

15:36:54.608446 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1225, length 64
15:36:54.609838 IP dns.mydomain.domain >  22.mydomain.46497: 57792* 1/4/8 PTR  44.mydomain. (347)
15:37:15.608414 IP  22.mydomain >  11.mydomain: ICMP host  44.mydomain unreachable - admin prohibited, length 92
15:37:15.608431 IP  11.mydomain >  44.mydomain: ICMP echo request, id 5079, seq 1246, length 64
15:37:15.612226 ARP, Request who-has  44.mydomain tell  11.mydomain, length 46
15:37:15.612268 ARP, Reply 44.mydomain is-at xx:xx:xx:xx:xx:10 (oui Unknown), length 28
15:37:16.608344 IP 22.domain >  11.mydomain: ICMP host  44.mydomain unreachable - admin prohibited, length 92
15:37:16.608362 IP 11.domain >  44.mydomain: ICMP echo request, id 5079, seq 1247, length 6464

tail -f /var/log/neutron/l3-agent.log has nothing

2018-01-04 15:34:33.762 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qr-e72292a2-0f', '-c', '1', '-w', '1.5', '192.168.0.1'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108
2018-01-04 15:34:34.029 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-U', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', '1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108
2018-01-04 15:34:34.058 9184 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qrouter-b181f8f8-9ef8-4f16-83e7-dd4644e0f824', 'arping', '-A', '-I', 'qg-85d52d1d-aa', '-c', '1', '-w', 1.5', '134.60.11.44'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:108
2018-01-04 15:35:08.192 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks/usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215
2018-01-04 15:35:22.850 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270
2018-01-04 15:35:22.852 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.003s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282
2018-01-04 15:35:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270
2018-01-04 15:35:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282
2018-01-04 15:35:48.197 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215
2018-01-04 15:36:22.862 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270
2018-01-04 15:36:22.864 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.002s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282
2018-01-04 15:36:22.925 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" acquired by "neutron.agent.linux.external_process._check_child_processes" :: waited 0.000s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:270
2018-01-04 15:36:22.926 9184 DEBUG oslo_concurrency.lockutils [-] Lock "_check_child_processes" released by "neutron.agent.linux.external_process._check_child_processes" :: held 0.001s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:282
2018-01-04 15:36:28.202 9184 DEBUG oslo_service.periodic_task [req-d673dbe8-194a-4986-ab44-9d227a663f07 - - - - -] Running periodic task L3NATAgentWithStateReport.periodic_sync_routers_task run_periodic_tasks /usr/lib/python2.7/site-packages/oslo_service/periodic_task.py:215

(neutron) router-show demorouter

+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                   | Value                                                                                                                                                                                                                                                                                               |
+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up          | True                                                                                                                                                                                                                                                                                                |
| availability_zone_hints |                                                                                                                                                                                                                                                                                                     |
| availability_zones      | nova                                                                                                                                                                                                                                                                                                |
| created_at              | 2017-12-11T10:19:23Z                                                                                                                                                                                                                                                                                |
| description             |                                                                                                                                                                                                                                                                                                     |
| distributed             | False                                                                                                                                                                                                                                                                                               |
| external_gateway_info   | {"network_id": "f6b716ad-3727-4a2e-aa14-e6a85bd4cdc2", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "22bdd4d4-6fae-45b2-a9d8-8aff3025ccdd", "ip_address": "x.x.x.44"}, {"subnet_id": "60708f6f-ce03-4aa9-9050-b9806189f1b0", "ip_address": "x:x:x:x:x:x:x:2084"}]} |
| flavor_id               |                                                                                                                                                                                                                                                                                                     |
| ha                      | False                                                                                                                                                                                                                                                                                               |
| id                      | b181f8f8-9ef8-4f16-83e7-dd4644e0f824                                                                                                                                                                                                                                                                |
| name                    | demorouter                                                                                                                                                                                                                                                                                          |
| project_id              | d939a9b2760946cf9aba1bd276c5cff3                                                                                                                                                                                                                                                                    |
| revision_number         | 3                                                                                                                                                                                                                                                                                                   |
| routes                  |                                                                                                                                                                                                                                                                                                     |
| status                  | ACTIVE                                                                                                                                                                                                                                                                                              |
| tags                    |                                                                                                                                                                                                                                                                                                     |
| tenant_id               | d939a9b2760946cf9aba1bd276c5cff3                                                                                                                                                                                                                                                                    |
| updated_at              | 2017-12-11T10:26:37Z                                                                                                                                                                                                                                                                                |
+-------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+