DHCP reply packets do not make it into KVM instance in OpenStack
- by Lorin Hochstein
I'm running a KVM instance inside of OpenStack, and it isn't getting an IP address from the DHCP server.
Using tcpdump, I can see the request and reply packets on vnet0 of the compute host:
# tcpdump -i vnet0 -n port 67 or port 68
tcpdump: WARNING: vnet0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:44:56.176727 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.176785 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.177315 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
19:45:02.179834 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.179904 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.180375 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
However, if I do the same thing on eth0 inside the KVM instance, I only see the request packets, not the reply packets. What would prevent the packets from making it from vnet0 of the host to eth0 of the guest?
My host is running Ubuntu 12.04 and my guest is running CentOS 6.3.
Note that I have added this rule in my iptables, but it doesn't resolve the issue:
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
The instance corresponds to vnet0 and is connected via br100:
# brctl show
bridge name bridge id STP enabled interfaces
br100 8000.54781a8605f2 no eth1
vnet0
vnet1
virbr0 8000.000000000000 yes
Here's the full iptables-save:
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*nat
:PREROUTING ACCEPT [8323:2553683]
:INPUT ACCEPT [7993:2494942]
:OUTPUT ACCEPT [6158:461050]
:POSTROUTING ACCEPT [6455:511595]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*mangle
:PREROUTING ACCEPT [7969:5385812]
:INPUT ACCEPT [7905:5363718]
:FORWARD ACCEPT [158:48190]
:OUTPUT ACCEPT [6877:8647975]
:POSTROUTING ACCEPT [7035:8696165]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*filter
:INPUT ACCEPT [2196774:15856921923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2447201:1170227646]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-19 - [0:0]
:nova-compute-inst-20 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A nova-compute-FORWARD -i br100 -j ACCEPT
-A nova-compute-FORWARD -o br100 -j ACCEPT
-A nova-compute-inst-19 -m state --state INVALID -j DROP
-A nova-compute-inst-19 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-provider
-A nova-compute-inst-19 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-19 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-19 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-19 -p icmp -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-sg-fallback
-A nova-compute-inst-20 -m state --state INVALID -j DROP
-A nova-compute-inst-20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-provider
-A nova-compute-inst-20 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-20 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-20 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-20 -p icmp -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-sg-fallback
-A nova-compute-local -d 10.40.0.3/32 -j nova-compute-inst-19
-A nova-compute-local -d 10.40.0.4/32 -j nova-compute-inst-20
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
