Hi, 2014-04-02 19:56 GMT+09:00 arjun jayaprakash <[email protected]>: > Chain ryu_neutron_agen-s85e1f2a9-c (1 references) > target prot opt source destination > RETURN all -- 10.0.0.3 anywhere MAC > FA:16:3E:73:59:71 > DROP all -- anywhere anywhere > and not able to send packet from guest VMs. > > Environment: Ubuntu 13.10 + DevStack Havana (single node setup). > Need to use a VM as a proxy to examine packets before forwarding them to > original destination. Packet will be rerouted to Proxy VM using SDN. > [VM1] --> [Proxy VM] --> [VM2]. > However, anti-spoofing rules prevent me to do this. (Rant mode on: Did the > OpenStack developers not envision that researchers may want to use VMs as > proxies? Why did they make it almost impossible to disable the anti-spoofing > mechanism?).
How about allowed-address-pairs extension? http://docs.openstack.org/admin-guide-cloud/content/section_allowed_address_pairs.html But Ryu plugin is not supporting this extension unfortunately... > Tried the following things: > a) Flushing IPTables ... no go. IPTables shows up as flushed completely. But > blockage is still there for spoofed packets. > b) Edited virt/libvirt/firewall.py file to set base_filter as nova-vpn > (which should not get any anti-spoof filters). Did a reset on q-svc, n-api. > But no go. > c) In localrc, file set Q_USE_SECGROUP=False. I now see that IPTables does > not have those anti-spoofing rules listed. Still the spoofed packets do not > go through. > d) Did a "sudo virsh nwfilter-edit nova-base" and deleted the anti-spoofing > lines in the xml file. And also deleted the DROP rules from IPTables (using > iptables-save > dump, edit dump, iptables-restore < dump). Did you delete no-arp-spoofing not only no-ip-spoofing ? I created two VM(vm1, vm2), and changed the IP address of each VM by hand on VM. When I deleted no-ip-spoofing and no-arp-spoofing from nova-base, ping succeeded. But I think that this will not be a solution for your problem because this is an absurd operation. I think it is better that waiting for the release of the bug fix and considering the use of allowed-address-pairs extension. https://bugs.launchpad.net/nova/+bug/1112912 Thanks, Kaneko > Still nothing happened. > What else can I try ? > Thanks, > Shankar. > > ------------------------------------------------------------------------------ > > _______________________________________________ > Ryu-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ryu-devel > ------------------------------------------------------------------------------ _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
