Yes, this is a known issue with certain kernel versions having broken
netfilter code. I don't have the exact upstream bug as reference, just
have a memory of seeing it tracked down.
So I will close as not a bug.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1774341
Title:
dvr fip doesn't work on centos 7.5
Status in neutron:
Invalid
Bug description:
Fip in dvr mode worked well on centos 7.4.
But I found fip in dvr mode on centos 7.5 didn't work.
If a router is centralized mode, fip works well although on centos 7.5.
But if a router is distributed mode, fip didn't work.
I found packets from outside was pass through from fip namespace to
qrouter namespace on compute node, and packets were found in rfp
interface, but not found in qr interface. I thnink probably iptables
doesn't perform DNAT.
==== Kernel parameters
# sysctl -p
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.ip_forward = 1
==== iptables of qrouter namespace (Fixed IP: 192.168.101.16, Floating-IP:
222.222.222.222)
# ip netns exec qrouter-1a76dc2f-9c5d-43b6-9c58-e8d09d36ddde iptables -nL -t
nat
(ommitted)
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
DNAT all -- 0.0.0.0/0 222.222.222.222
to:192.168.101.16
REDIRECT tcp -- 0.0.0.0/0 169.254.169.254 tcp dpt:80
redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 192.168.101.16 0.0.0.0/0
to:222.222.222.222
(ommitted)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1774341/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
