Bug 1011803

Summary: Add iptables rule to accept GRE traffic
Product: [Community] RDO Reporter: Sandro Mathys <sandro>
Component: openstack-packstackAssignee: RHOS Maint <rhos-maint>
Status: CLOSED NOTABUG QA Contact: Nir Magnezi <nmagnezi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aortega, apevec, chrisw, derekh, fvollero, rkukura, tgraf, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: network
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-15 12:53:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Sandro Mathys 2013-09-25 07:43:22 UTC 
Description of problem:
OVS can automatically set the proper iptables rule to allow for GRE tunnelling but the openvswitch init script doesn't enable it because "RHEL6 does not support OVS GRE tunneling yet". But actually, RDO does.

Version-Release number of selected component (if applicable):
openvswitch-1.11.0_8ce28d-1.el6ost.x86_64

How reproducible:
Always

Steps to Reproduce:
1. install openvswitch (from RDO Havana repo)
2. grep -i "gre " /etc/init.d/openvswitch

Actual results:
# RHEL6 does not support OVS GRE tunneling yet, do not add iptables GRE rule
#    $ovs_ctl --protocol=gre enable-protocol

Expected results:
# RDO does support OVS GRE tunneling, do add iptables GRE rule
$ovs_ctl --protocol=gre enable-protocol

Additional info:
Comment 1 Thomas Graf 2013-10-30 14:34:40 UTC 
We do not want to open up GRE in the default policy. Upstream releases used to add a GRE ACCEPT by default when the service started which is why we put the comment in there in the first place. Upstream has reverted that change since and requires manual enablement of the protocol.

If at all the firewall rule should be added by Neutron on demand.

Bob, what do you think?
Comment 2 Bob Kukura 2013-11-12 20:16:02 UTC 
I agree the openvswitch user space should not automatically add iptables rules to open up GRE. For one thing, it cannot know how broadly to allow access (i.e. for source hosts from a specific subnet or set of subnets). 

I think the same reasoning applies to neutron's openvswitch-agent. Instead this should be handled by deployment tools such as packstack that know something about the overall deployment.
Comment 3 Francesco Vollero 2014-01-15 12:53:43 UTC 
This setting should be demanded to the user based on the needs and cannot be demanded to packstack.

I am closing it but I am open to discussion if needed.