Juniper Openstack

Traffic from OnPrem nodes behind GW to Cloud fails

Series r5.0
Bug #1784957

Bug #1784957 reported by Senthilnathan Murugappan on 2018-08-01

12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	R5.0	Fix Committed	Medium	Adam Kulagowski	Juniper Openstack r5.0.1
	Trunk	Fix Committed	Medium	Adam Kulagowski	Juniper Openstack r5.1.0

Bug Description

The default action for Chain Forward in iptables is set to Drop so the pkts from the private interface of GW to tap0 interface gets dropped. We need to add a rule to fwd pkts between tap0 and pvt_interface. Need to add rules 5 and 6 in the below output as part of provisioning.

Chain FORWARD (policy DROP 12 packets, 688 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

5 17 1440 ACCEPT all -- tap0 bond0 0.0.0.0/0 0.0.0.0/0
6 14 1164 ACCEPT all -- bond0 tap0 0.0.0.0/0 0.0.0.0/0

Tags:

Revision history for this message

Sanju Abraham (asanju) wrote on 2018-08-02:

#1

The iptables rules that was applied on the GW to get this working was :

iptables -t filter -A FORWARD -i bond0 -o tap0 -j ACCEPT
iptables -t filter -A FORWARD -i tap0 -o bond0 -j ACCEPT

The pvt customer facing subnet was on the bond0 and the cloud facing subnet on tap0.

Changed in juniperopenstack:
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Adam Kulagowski (adam.kulagowski-codilime.com) wrote on 2018-08-02:

#2

By design we are not touching FW on onPrem host. This decision was made 2 months ago. Currently the playbook for ansible looks like this:

- name: Deploy iptables
   hosts: gateways
   become: yes
   roles:
     - role: iptables
       when: provider != "onprem"

This change was applied to not break existing FW configuration.

Revision history for this message

Sanju Abraham (asanju) wrote on 2018-08-04:

#3

As a fix for this bug, we will stop the execution of the play with the detailed message and give a possible solution to fix the issue and expect that the operator/user would fix before re-trying.

Ritam Gangopadhyay (ritam) on 2018-08-06

tags:

added: beta-blocker

Revision history for this message

Sanju Abraham (asanju) wrote on 2018-08-07:

#4

Moving the importance of this issue to Medium as this is seen only on 1 testbed, where an IPTables policy to deny all except the ones in the rules in the forward tables.

For OnPrem, multicloud provisioning does not set any rule, since this is a complete customer equipment and the customer would be responsible for this. As a preventative fix, we will detect the deny policy and stop the play and recommend that the IPTables be fixed.

We do not want to change IPTables on onprem CPE as I personally have seen customers not like that approach at all. Hence we will follow the standard of what ansible does, detect an issue, abort, suggest the corrective action

Revision history for this message

Jeba Paulaiyan (jebap) wrote on 2018-08-08:

#5

As commit is not updated here, moving back to New

Revision history for this message

Paweł Kopka (pkopka) wrote on 2018-08-09:

#6

Adam created PR https://github.com/Juniper/contrail-multi-cloud/pull/192

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.