Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

devstack on Fedora 22, neutron networking, vm can not ping internet hosts

I have a Fedora 22 machine where I am running devstack. Almost everything seems to be working properly except my VMs can not ping external (internet) hosts. Hopefully, someone can get me over that hump.

Here is a snippet from my local.conf (enp5s0 is my wired ethernet connection):

FLAT_INTERFACE=enp5s0
IP_VERSION=4
FLOATING_RANGE=192.168.3.0/24
PUBLIC_NETWORK_GATEWAY=192.168.3.1
FIXED_RANGE=10.3.0.0/24
NETWORK_GATEWAY=10.3.0.1

I have run iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE, which has worked for me on older versions of Fedora.

In the event it helps, here is a dump of my iptables rules.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-openvswi-INPUT  all  --  anywhere             anywhere            
nova-api-INPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-OUTPUT  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-OUTPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-openvswi-local  all  --  anywhere             anywhere            

Chain neutron-openvswi-FORWARD (1 references)
target     prot opt source               destination         
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */

Chain neutron-openvswi-INPUT (1 references)
target     prot opt source               destination         
neutron-openvswi-o5d908dd9-1  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-openvswi-obafd0f82-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

Chain neutron-openvswi-OUTPUT (1 references)
target     prot opt source               destination         

Chain neutron-openvswi-i5d908dd9-1 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere             match-set NIPv436808a89-8530-4cd5-a85f- src
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-ibafd0f82-4 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  10.3.0.2             anywhere             udp spt:bootps dpt:bootpc
RETURN     udp  --  anywhere             anywhere             udp multiport dports tcpmux:65535
RETURN     icmp --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere             match-set NIPv42e5920c9-ebb4-4755-b4f9- src
RETURN     tcp  --  anywhere             anywhere             tcp multiport dports tcpmux:65535
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-local (1 references)
target     prot opt source               destination         

Chain neutron-openvswi-o5d908dd9-1 (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-openvswi-s5d908dd9-1  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     all  --  anywhere             anywhere            
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-obafd0f82-4 (2 references)
target     prot opt source               destination         
RETURN     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-openvswi-sbafd0f82-4  all  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  anywhere             anywhere             udp multiport dports tcpmux:65535
RETURN     tcp  --  anywhere             anywhere             tcp multiport dports tcpmux:65535
RETURN     all  --  anywhere             anywhere            
RETURN     icmp --  anywhere             anywhere            
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-s5d908dd9-1 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             MAC FA:16:3E:BD:5D:E1 /* Allow traffic from defined IP/MAC pairs. */
DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */

Chain neutron-openvswi-sbafd0f82-4 (1 references)
target     prot opt source               destination         
RETURN     all  --  10.3.0.3             anywhere             MAC FA:16:3E:73:17:9F /* Allow traffic from defined IP/MAC pairs. */
DROP       all  --  anywhere             anywhere             /* Drop traffic without an IP/MAC allow rule. */

Chain neutron-openvswi-sg-chain (4 references)
target     prot opt source               destination         
neutron-openvswi-i5d908dd9-1  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap5d908dd9-18 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-openvswi-o5d908dd9-1  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-openvswi-ibafd0f82-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapbafd0f82-43 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-openvswi-obafd0f82-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere            

Chain neutron-openvswi-sg-fallback (4 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             f22.crobby.org       tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  anywhere             anywhere