Re: [Openstack] [Kuryr] [Neutron] nested containers - using Linux bridge for iptables rather than Openvswitch firewall

Tue, 24 Jan 2017 07:13:53 -0800 

Hi Agmon,

Thanks for trying this feature first. 
We discussed with Jakub Libosvar from Neutron Team,  and confirmed that 
VM-Nested Trunk can’t work with iptables_hybrid in neutron. More detail in irc 
log[1]

Part of the log:
limao   jlibosva: trunk port do not work with iptables_hybrid , Do we have any 
bug about this or it is by design?       15:27
jlibosva        limao: that's by design 15:27
jlibosva        limao: "Obviously this solution is not compliant with iptables 
firewall." from 
https://github.com/openstack/neutron/blob/master/doc/source/devref/openvswitch_agent.rst#tackling-the-network-trunking-use-case
  15:29
jlibosva        limao: at "To summarize:" section, B solution   15:29

[1]http://eavesdrop.openstack.org/irclogs/%23openstack-neutron/%23openstack-neutron.2016-11-22.log.html

Loop jlibosva and add [Neutron] Tag in mail title.
Thanks.

Regards,
Liping Mao

在 17/1/24 18:00,“Agmon, Gideon (Nokia - IL)”<gideon.ag...@nokia.com> 写入:

    Hi,
    
    Environment:
     - Centos 7.3 , kernel 3.10 (!)
     - devstack mid Jan 2017 master
     - kuryr-libnetworks
     - NOT using opensvswitch firewall as shown e.g. in 
https://github.com/openstack/kuryr-libnetwork#how-to-try-out-nested-containers-locally
 
       because Linux kernel 3.10 doesn't support it, so Linux bridge is used 
instead! 
    
    Question: Must I use Openvswitch firewall instead of linux bridge for 
proper operation of trunk bridge ?
    ========
    
    The phenomenon:
    ===============
    When ARP from ContainerA to containerB, both are netsed within a VM, the 
ping fails:
     - ARP request (broadcast) succeeds to pass via the Linux bridge to the OVS 
and back to the VM via the Linux bridge.
     - ARP reply (unicast) succeeds to pass via the Linux bridge to the OVS (it 
learned the MAC from the request coming back from the OVS).
     - this ARP reply is not forwarded by the Linux bridge to the VM ! Note 
that it learned this MAC from the OVS side (although with a different Vlan). 
    
    I suspect:
    ========
    The Linux bridge works in SVL mode (Shared-Vlan-Learning).   
    
    Thanks in advance
    Gideon
    
    _______________________________________________
    Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     : openstack@lists.openstack.org
    Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to