I rekon this topic is of no interest to the mailing list. I have,
however, found the solution, and I would like to share it with the
rest of the list.
In my case I had two separate issues. One was a missing security rule:
(cloud)(cred:tutorial)antonio@kenny:~$ neutron
security-group-rule-create --direction ingress --protocol 47 default
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | b5c74385-baab-4321-a4f5-79750f9e9bb3 |
| port_range_max | |
| port_range_min | |
| protocol | 47 |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | db519fbb-956c-4e4c-bcb6-95ae04c49b0a |
| tenant_id | 3b8231f6ab974adbbcd838042bbf63bd |
+-------------------+--------------------------------------+
(cloud)(cred:tutorial)antonio@kenny:~$ neutron security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id | security_group |
direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 1a667321-4898-4aad-ae62-24cccddba2ae | default | ingress
| tcp | 0.0.0.0/0 | |
| 1fbc5e11-0dfe-46f1-8183-826912a100b1 | default | ingress
| udp | 0.0.0.0/0 | |
| 21c8eba7-9469-4a8b-af78-f691f0adab56 | default | ingress
| | | default |
| 9b7792d1-1e91-43e9-a45d-dbe1541d278b | default | ingress
| tcp | 0.0.0.0/0 | |
| b0f3e4e9-5cc8-484c-a190-e2e421698ca8 | default | egress
| | | |
| b5c74385-baab-4321-a4f5-79750f9e9bb3 | default | ingress
| 47 | | |
| d7601656-2849-4d69-a4a8-6d8dc1380808 | default | ingress
| | | default |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
`47` is the ip protocol number for GRE[1]
The second issue is probably specific to iptables and/or Ubuntu (I am
running Ubuntu Trusty with kernel 3.16.0-34-generic). For some
reasons, even if the iptables rule was added:
Chain neutron-openvswi-ie4c61512-8 (1 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
state INVALID
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 RETURN udp -- 172.23.3.0 0.0.0.0/0
udp spt:67 dpt:68
4 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0
tcp multiport dports 1:65000
5 RETURN udp -- 0.0.0.0/0 0.0.0.0/0
udp multiport dports 1:65000
6 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
7 RETURN 47 -- 0.0.0.0/0 0.0.0.0/0
8 RETURN all -- 0.0.0.0/0 0.0.0.0/0
match-set IPv4db519fbb-956c-4e4c-b src
9 neutron-openvswi-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
GRE packets were still dropped by the first rule: "-m state --state
INVALID". The reason is that module `nf_conntrack_proto_gre` was
**not** loaded, and apparently with recent kernels[2][3] a packet is
marked as "INVALID" if the corresponding module is not loaded.
Loading the module and setting the proper security group rule was
enough for me to allow GRE traffic to work.
Cheers,
Antonio
[1]: http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
[2]: http://www.spinics.net/lists/netfilter/msg55920.html
[3]: although [2] is talking about different behavior between 3.17 and
3.18, I have with my 3.16 kernel the same behavior described for
3.18. I haven't investigate further though, and probably wont.
--
[email protected]
[email protected] +41 (0)44 635 42 22
S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
