Hi John, Can you take a look at https://bugs.launchpad.net/neutron/+bug/1190613 ? Looks like the exact issue you're talking about and it was fixed just recently.
Thanks, Eugene. On Sat, Jul 27, 2013 at 10:22 PM, John Gruber <john.t.gru...@gmail.com>wrote: > > So I got it work, but I need guidance from the OVS iptables gang on what > the reasoning was and how I fix it in a 'compliant' manner. > > Q. Why are the iptables rules on the OVS output chains for the interfaces > written as if the vif should only have ONE IP address assign where quantum > can assign multiple fixedips? > > For the example where IP address 10.0.60.20 was assigned to my guest VM on > an external interface and assign at boot, and then I added 10.0.60.22 via > nova --add-fixed-ip vm-uuid net-uuid... > > Here is what I had in my iptables rules after adding the second fixedip: > > iptables -L quantum-openvswi-o8a508818-0 --line-numbers > Chain quantum-openvswi-o8a508818-0 (2 references) > num target prot opt source destination > 1 DROP all -- anywhere anywhere MAC ! > FA:16:3E:41:6B:15 > 2 RETURN udp -- anywhere anywhere udp > spt:bootpc dpt:bootps > *3 DROP all -- !10.0.62.20 anywhere > 4 DROP all -- !10.0.62.22 anywhere > *5 DROP udp -- anywhere anywhere udp > spt:bootps dpt:bootpc > 6 DROP all -- anywhere anywhere state > INVALID > 7 RETURN all -- anywhere anywhere state > RELATED,ESTABLISHED > 8 RETURN all -- anywhere anywhere > 9 quantum-openvswi-sg-fallback all -- anywhere > anywhere > > > This obviously will not work. The rules shadow each other and cut off all > outbound access from the guest VM on that network. Which is exactly what I > was observing.. > > Running: iptables -D quantum-openvswi-o8a508818-0 4 > > And my access to 10.0.62.20 came back... > > Running iptables -D quantum-openvswi-o8a508818-0 3 > > And my access to 10.0.62.22 started working... > > > Please tell me we did not intend to create a cloud where quantum has no > problems assigning multiple fixed IPs to a port, but iptables will eat them > all up! <g> Oh the humanity... > > I know how to make it work and can hunt down the iptables root wrapper > command, but what should we do for this? I could not find an existing bug.. > > John > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
