** Description changed:
- Note: OVS from before 1.5, which includes the default versions shipped
- with 12.04 and Fedora 17, has a bug that causes it not to work correctly
- with floating IPs when the person contacting the floating IP is on the
- same box as quantum-l3-agent.
+ [Impact]
+ The connection tracking logic using by IPtables gets confused if a packet
passes through multiple linux network namespaces on the same host. The reason
for this confusion is that OVS is not properly clearing some of the fields in
the skb header, meaning the connection tracking ignores this packet, so
iptables functionality that relies on this (in particular DNAT and SNAT) do not
work.
+
+ In particular, the use of OVS by OpenStack Quantum is critically
+ affected by this bug.
+
+ [Fix]
+ The issue has been fixed upstream as of 1.4.3. A minimal 5-liner that clears
the appropriate metadata from the skb header. The patch has been
cherry-picked and fix released in the current Ubuntu dev. release (12.10).
+
+ [Test Case]
+ 1. Create external network 40.0.0.0/24 for floating IPs
+ 2. Assign br-ex the IP 40.0.0.1
+ 3. Pinging 40.0.0.1 appears to work, but you're pinging the router, not the VM
+ 4. Network connectivity to the VM with the floating IP does not work, as
expected.
+
+ [Regression Potential]
+ Minimal. Simple patch that has been cherry-picked from the current upstream
stable release of Openvswitch (1.4.3).
+
+ [Original Report]
+ Note: OVS from before 1.5, which includes the default versions shipped with
12.04 and Fedora 17, has a bug that causes it not to work correctly with
floating IPs when the person contacting the floating IP is on the same box as
quantum-l3-agent.
While not very likely to happen in a production setup, this is fairly
common in simple development environments. For example, let's say you
create an external network 40.0.0.0/24 for floating IPs. If you then
assign br-ex the IP 40.0.0.1, you should be able to reach all of your
VMs with floating IPs, but it won't work because of this bug. Oddly, it
- will often appear to work if you use ping, but in reality you are pining
- the IP address in the router namespace, not the VM.
+ will often appear to work if you use ping, but in reality you are
+ pinging the IP address in the router namespace, not the VM.
We believe the following OVS commit it required for this to work
properly:
http://openvswitch.org/cgi-
bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=53e6421bc83918ac2d00ba5516f205fa7e394140
We are looking at creating a new stable release on the 1.4.x branch to
include this change and plan to work with distros to get it pulled into
their packages.
-
- [IMPACT]
- The connection tracking logic using by IPtables gets confused if a packet
passes through multiple linux network namespaces on the same host. The reason
for this confusion is that OVS is not properly clearing some of the fields in
the skb header, meaning the connection tracking ignores this packet, so
iptables functionality that relies on this (in particular DNAT and SNAT) do not
work.
-
- In particular, the use of OVS by OpenStack Quantum is critically
- affected by this bug.
-
- [FIX]
- The issue has been fixed upstream as of 1.4.3. A minimal 5-liner that clears
the appropriate metadata from the skb header. The patch has been
cherry-picked and fix released in the current Ubuntu dev. release (12.10).
-
- [REGRESSION POTENTIAL]
- Minimal. Simple patch that has been cherry-picked from the currentl upstream
stable release of Openvswitch (1.4.3).
** Changed in: openvswitch (Ubuntu Precise)
Status: Confirmed => Triaged
** Changed in: openvswitch (Ubuntu Precise)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1044318
Title:
[SRU] pre-1.5 OVS has trouble with floating ips when pinging from the
same box
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1044318/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
