Bug #5109

libvirt network filter should allow traffic from vrouter floating ip

Added by John Noss over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:04/17/2017
Priority:NormalDue date:
Assignee:Ruben S. Montero% Done:

0%

Category:Core & System
Target version:Release 5.4
Resolution:fixed Pull request:
Affected Versions:OpenNebula 5.0, OpenNebula 5.2

Description

Currently if using a libvirt network filter (such as 'clean-traffic') and launching a virtual router with a floating IP, the virtual router IP is not allowed in ebtables.

If launching a virtual router with native IP 172.16.2.5 and vrouter floating IP 172.16.2.4, current ebtables rules generated only include the native IP:

$ ebtables -t nat -L

Bridge chain: I-one-3-0-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 172.16.2.5 -j RETURN
-j DROP

This is because currently the virsh xml generated only includes the VM native IP:

                        <filterref filter='clean-traffic'>
                                <parameter name='IP' value='172.16.2.5'/>
                        </filterref>

Instead this should be (for case of launching a vm with native ip 172.16.2.7 and floating vrouter IP 172.16.2.6):

                        <filterref filter='clean-traffic'>
                                <parameter name='IP' value='172.16.2.7'/>
                                <parameter name='IP' value='172.16.2.6'/>
                        </filterref>

Which generates correct ebtables rules (note both IPs allowed now):

$ ebtables -t nat -L

Bridge chain: I-one-4-0-ipv4-ip, entries: 4, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 172.16.2.7 -j RETURN
-p IPv4 --ip-src 172.16.2.6 -j RETURN
-j DROP

See PR on github https://github.com/OpenNebula/one/pull/261 for this, fix is in src/vmm/LibVirtDriverKVM.cc should look like this around line 943:

                 file << "\t\t\t<filterref filter=" 
                          << one_util::escape_xml_attr(*the_filter) << ">\n" 
                      << "\t\t\t\t<parameter name='IP' value=" 
-                         << one_util::escape_xml_attr(ip) << "/>\n" 
-                     << "\t\t\t</filterref>\n";
+                         << one_util::escape_xml_attr(ip) << "/>\n";
+                if ( !vrouter_ip.empty() )
+                {
+                    file << "\t\t\t\t<parameter name='IP' value=" 
+                            << one_util::escape_xml_attr(vrouter_ip) << "/>\n";
+                }
+                file << "\t\t\t</filterref>\n";

Note, this will need to be in place if Request 4955 is implemented - if this libvirt network filter is on by default, then vrouter IPs won't work without this addition.

History

#1 Updated by Ruben S. Montero over 2 years ago

  • Category set to Core & System
  • Status changed from Pending to New
  • Assignee set to Ruben S. Montero
  • Target version set to Release 5.4

#2 Updated by Ruben S. Montero over 2 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF