Public bug reported:
We are running neutron victoria 17.4.1. The floating ip port forwarding
extention doesn't seem to work with external traffic.
After debugging it looks like the neutron port forwarding extention
doesn't create a necessary iptables rule responsible for setting the
0x4000000/0xffff0000 mark.
(public ip addresses replaced with *.*.*.)
Reproduction:
`openstack floating ip port forwarding create --internal-ip-address 10.0.0.227
--port dfba05b5-31ba-466b-80d9-79df7e053e7f --internal-protocol-port 80
--external-protocol-port 80 --protocol tcp *.*.*.172`
We see a created dnat rule:
Chain neutron-l3-agent-pf-b6eaee1f (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 *.*.*.172
tcp dpt:80 to:10.0.0.227:80
But there is no rule in the mangle table that sets the required marker
to pass the DROP rule inside the neutron-l3-agent-scope chain.
Speaking for the described suspicion is a functioning port forwarding from the
internal network of the vm. Those packets are received by the qr interface of
the router before hitting the DROP rule.
This is the mangle rule which seems to work for internal traffic:
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source destination
75895 11M MARK all -- qr-61cfbe6d-89 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x4000000/0xffff0000
If I see this correctly the port forwarding extention needs to create a mangle
chain/rule like all other floating ips get, example floating ip chain:
Chain neutron-l3-agent-floatingip (1 references)
pkts bytes target prot opt in out source destination
42728 4400K MARK all -- * * 0.0.0.0/0 *.*.*.89
MARK xset 0x4000000/0xffff0000
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1995614
Title:
floating ip portforwarding from external not working
Status in neutron:
New
Bug description:
We are running neutron victoria 17.4.1. The floating ip port
forwarding extention doesn't seem to work with external traffic.
After debugging it looks like the neutron port forwarding extention
doesn't create a necessary iptables rule responsible for setting the
0x4000000/0xffff0000 mark.
(public ip addresses replaced with *.*.*.)
Reproduction:
`openstack floating ip port forwarding create --internal-ip-address
10.0.0.227 --port dfba05b5-31ba-466b-80d9-79df7e053e7f --internal-protocol-port
80 --external-protocol-port 80 --protocol tcp *.*.*.172`
We see a created dnat rule:
Chain neutron-l3-agent-pf-b6eaee1f (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0 *.*.*.172
tcp dpt:80 to:10.0.0.227:80
But there is no rule in the mangle table that sets the required marker
to pass the DROP rule inside the neutron-l3-agent-scope chain.
Speaking for the described suspicion is a functioning port forwarding from
the internal network of the vm. Those packets are received by the qr interface
of the router before hitting the DROP rule.
This is the mangle rule which seems to work for internal traffic:
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source
destination
75895 11M MARK all -- qr-61cfbe6d-89 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x4000000/0xffff0000
If I see this correctly the port forwarding extention needs to create a
mangle chain/rule like all other floating ips get, example floating ip chain:
Chain neutron-l3-agent-floatingip (1 references)
pkts bytes target prot opt in out source
destination
42728 4400K MARK all -- * * 0.0.0.0/0 *.*.*.89
MARK xset 0x4000000/0xffff0000
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1995614/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
