Thanks Kaneko,
I tried flushing both arp & IP tables, but same results. Any idea by when those
Openstack fix will be available.
Regards,
Shankar.
On Thursday, 3 April 2014 5:31 PM, Yoshihiro Kaneko <[email protected]>
wrote:
Hi,
2014-04-02 19:56 GMT+09:00 arjun jayaprakash <[email protected]>:
> Chain ryu_neutron_agen-s85e1f2a9-c (1 references)
> target prot opt source destination
> RETURN all -- 10.0.0.3 anywhere MAC
> FA:16:3E:73:59:71
> DROP all -- anywhere anywhere
> and not able to send packet from guest VMs.
>
> Environment: Ubuntu 13.10 + DevStack Havana (single node setup).
> Need to use a VM as a proxy to examine packets before forwarding them to
> original destination. Packet will be rerouted to Proxy VM using SDN.
> [VM1] --> [Proxy VM] --> [VM2].
> However, anti-spoofing rules prevent me to do this. (Rant mode on: Did the
> OpenStack developers not envision that researchers may want to use VMs as
> proxies? Why did they make it almost impossible to disable the anti-spoofing
> mechanism?).
How about allowed-address-pairs extension?
http://docs.openstack.org/admin-guide-cloud/content/section_allowed_address_pairs.html
But Ryu plugin is not supporting this extension unfortunately...
> Tried the following things:
> a) Flushing IPTables ... no go. IPTables shows up as flushed completely. But
> blockage is still there for spoofed packets.
> b) Edited virt/libvirt/firewall.py file to set base_filter as nova-vpn
> (which should not get any anti-spoof filters). Did a reset on q-svc, n-api.
> But no go.
> c) In localrc, file set Q_USE_SECGROUP=False. I now see that IPTables does
> not have those anti-spoofing rules listed. Still the spoofed packets do not
> go through.
> d) Did a "sudo virsh nwfilter-edit nova-base" and deleted the anti-spoofing
> lines in the xml file. And also deleted the DROP rules from IPTables (using
> iptables-save > dump, edit dump, iptables-restore < dump).
Did you delete no-arp-spoofing not only no-ip-spoofing ?
I created two VM(vm1, vm2), and changed the IP address of each VM by hand on VM.
When I deleted no-ip-spoofing and no-arp-spoofing from nova-base, ping
succeeded.
But I think that this will not be a solution for your problem because
this is an absurd operation.
I think it is better that waiting for the release of the bug fix and
considering the use of allowed-address-pairs extension.
https://bugs.launchpad.net/nova/+bug/1112912
Thanks,
Kaneko
> Still nothing happened.
> What else can I try ?
> Thanks,
> Shankar.
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Ryu-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
