Bug #5109: libvirt network filter should allow traffic from vrouter floating ip - OpenNebula - OpenNebula Development pages

Bug #5109

libvirt network filter should allow traffic from vrouter floating ip

Added by John Noss about 4 years ago. Updated about 4 years ago.

Status:

Closed

Start date:

04/17/2017

Priority:

Normal

Due date:

Assignee:

Ruben S. Montero

% Done:

Category:

Core & System

Target version:

Release 5.4

Resolution:

fixed

Pull request:

Affected Versions:

OpenNebula 5.0, OpenNebula 5.2

Description

Currently if using a libvirt network filter (such as 'clean-traffic') and launching a virtual router with a floating IP, the virtual router IP is not allowed in ebtables.

If launching a virtual router with native IP 172.16.2.5 and vrouter floating IP 172.16.2.4, current ebtables rules generated only include the native IP:

$ ebtables -t nat -L

Bridge chain: I-one-3-0-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 172.16.2.5 -j RETURN
-j DROP

This is because currently the virsh xml generated only includes the VM native IP:

                        <filterref filter='clean-traffic'>
                                <parameter name='IP' value='172.16.2.5'/>
                        </filterref>

Instead this should be (for case of launching a vm with native ip 172.16.2.7 and floating vrouter IP 172.16.2.6):

                        <filterref filter='clean-traffic'>
                                <parameter name='IP' value='172.16.2.7'/>
                                <parameter name='IP' value='172.16.2.6'/>
                        </filterref>

Which generates correct ebtables rules (note both IPs allowed now):

$ ebtables -t nat -L

Bridge chain: I-one-4-0-ipv4-ip, entries: 4, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 172.16.2.7 -j RETURN
-p IPv4 --ip-src 172.16.2.6 -j RETURN
-j DROP

See PR on github https://github.com/OpenNebula/one/pull/261 for this, fix is in src/vmm/LibVirtDriverKVM.cc should look like this around line 943:

                 file << "\t\t\t<filterref filter=" 
                          << one_util::escape_xml_attr(*the_filter) << ">\n" 
                      << "\t\t\t\t<parameter name='IP' value=" 
-                         << one_util::escape_xml_attr(ip) << "/>\n" 
-                     << "\t\t\t</filterref>\n";
+                         << one_util::escape_xml_attr(ip) << "/>\n";
+                if ( !vrouter_ip.empty() )
+                {
+                    file << "\t\t\t\t<parameter name='IP' value=" 
+                            << one_util::escape_xml_attr(vrouter_ip) << "/>\n";
+                }
+                file << "\t\t\t</filterref>\n";

Note, this will need to be in place if Request 4955 is implemented - if this libvirt network filter is on by default, then vrouter IPs won't work without this addition.

History

#1 Updated by Ruben S. Montero about 4 years ago

Category set to Core & System
Status changed from Pending to New
Assignee set to Ruben S. Montero
Target version set to Release 5.4

#2 Updated by Ruben S. Montero about 4 years ago

Status changed from New to Closed
Resolution set to fixed

Also available in: Atom PDF

OpenNebula

Issues

Custom queries

Bug #5109

libvirt network filter should allow traffic from vrouter floating ip

History

#1 Updated by Ruben S. Montero about 4 years ago

#2 Updated by Ruben S. Montero about 4 years ago