Bug 1111640 - packstack should open Tunnel ports VXLAN and GRE
Summary: packstack should open Tunnel ports VXLAN and GRE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-packstack
Version: 4.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: z5
: 4.0
Assignee: Martin Magr
QA Contact: yfried
URL:
Whiteboard:
Depends On: 1100993
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-20 15:28 UTC by Scott Lewis
Modified: 2022-07-09 07:02 UTC (History)
12 users (show)

Fixed In Version: openstack-packstack-2013.2.1-0.32.dev1040.el6ost
Doc Type: Bug Fix
Doc Text:
Clone Of: 1100993
Environment:
Last Closed: 2014-10-22 17:17:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 109573 0 None None None Never
OpenStack gerrit 109574 0 None None None Never
Red Hat Issue Tracker OSP-16483 0 None None None 2022-07-09 07:02:59 UTC
Red Hat Product Errata RHSA-2014:1691 0 normal SHIPPED_LIVE Important: openstack-packstack security, bug fix, and enhancement update 2014-10-22 21:16:02 UTC

Comment 2 yfried 2014-10-12 11:15:45 UTC 
I'm looking at the iptables and I can't see the dport=4789 or the protocol=47 rules.
Am I missing anything?

gre:
[root@puma43 ~(keystone_admin)]# iptables -nL 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.35.160.167       tcp dpt:8775 

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0           


vxlan: 
[root@nmagnezi-os-cont1 ~(keystone_admin)]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  10.35.160.23         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.23 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.161.235 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 3260 /* 001 cinder incoming cinder_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 3260 /* 001 cinder incoming cinder_10.35.160.27 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776 /* 001 cinder-api incoming cinder_API */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292 /* 001 glance incoming glance_API */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004 /* 001 heat incoming heat */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80 /* 001 horizon 80  incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357 /* 001 keystone incoming keystone */
ACCEPT     tcp  --  10.35.160.23         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.23 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.161.235 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696 /* 001 neutron server incoming neutron_server_10.35.161.235 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,8774,8775 /* 001 nova api incoming nova_api */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080 /* 001 novncproxy incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080 /* 001 swift proxy incoming swift_proxy */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.161.235 */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.35.161.235        tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0
Comment 3 yfried 2014-10-13 13:15:41 UTC 
please ignore previous comment, turns out rules aren't created for AIO.
will reverify this later
Comment 4 yfried 2014-10-14 14:35:39 UTC 
rules are created for gre and vxlan but only if setup is not AIO
Comment 7 errata-xmlrpc 2014-10-22 17:17:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1691.html
Note You need to log in before you can comment on or make changes to this bug.