DHCP reply packets do not make it into KVM instance in OpenStack

Posted by Lorin Hochstein on Server Fault See other posts from Server Fault or by Lorin Hochstein
Published on 2013-04-02T23:48:57Z Indexed on 2013/10/19 3:58 UTC
Read the original article Hit count: 531

I'm running a KVM instance inside of OpenStack, and it isn't getting an IP address from the DHCP server.

Using tcpdump, I can see the request and reply packets on vnet0 of the compute host:

# tcpdump -i vnet0 -n port 67 or port 68
tcpdump: WARNING: vnet0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:44:56.176727 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.176785 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.177315 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
19:45:02.179834 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.179904 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.180375 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319

However, if I do the same thing on eth0 inside the KVM instance, I only see the request packets, not the reply packets. What would prevent the packets from making it from vnet0 of the host to eth0 of the guest?

My host is running Ubuntu 12.04 and my guest is running CentOS 6.3.

Note that I have added this rule in my iptables, but it doesn't resolve the issue:

-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

The instance corresponds to vnet0 and is connected via br100:

# brctl show
bridge name bridge id       STP enabled interfaces
br100       8000.54781a8605f2   no      eth1
                            vnet0
                            vnet1
virbr0      8000.000000000000   yes

Here's the full iptables-save:

# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*nat
:PREROUTING ACCEPT [8323:2553683]
:INPUT ACCEPT [7993:2494942]
:OUTPUT ACCEPT [6158:461050]
:POSTROUTING ACCEPT [6455:511595]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Tue Apr  2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*mangle
:PREROUTING ACCEPT [7969:5385812]
:INPUT ACCEPT [7905:5363718]
:FORWARD ACCEPT [158:48190]
:OUTPUT ACCEPT [6877:8647975]
:POSTROUTING ACCEPT [7035:8696165]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Apr  2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*filter
:INPUT ACCEPT [2196774:15856921923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2447201:1170227646]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-19 - [0:0]
:nova-compute-inst-20 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A nova-compute-FORWARD -i br100 -j ACCEPT
-A nova-compute-FORWARD -o br100 -j ACCEPT
-A nova-compute-inst-19 -m state --state INVALID -j DROP
-A nova-compute-inst-19 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-provider
-A nova-compute-inst-19 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-19 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-19 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-19 -p icmp -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-sg-fallback
-A nova-compute-inst-20 -m state --state INVALID -j DROP
-A nova-compute-inst-20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-provider
-A nova-compute-inst-20 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-20 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-20 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-20 -p icmp -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-sg-fallback
-A nova-compute-local -d 10.40.0.3/32 -j nova-compute-inst-19
-A nova-compute-local -d 10.40.0.4/32 -j nova-compute-inst-20
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
COMMIT
# Completed on Tue Apr  2 19:47:27 2013

© Server Fault or respective owner

Related posts about iptables

Related posts about dhcp