Bug 1273659 - FORWARD -j REJECT --reject-with icmp-host-prohibited rule results in being "trapped" in SDN
FORWARD -j REJECT --reject-with icmp-host-prohibited rule results in being "t...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking (Show other bugs)
3.1.0
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Dan Winship
Meng Bo
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 18:17 EDT by Erik M Jacobs
Modified: 2015-11-23 09:24 EST (History)
10 users (show)

See Also:
Fixed In Version: atomic-openshift-3.0.2.903-0.git.73.16a78c7.el7aos
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 09:24:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik M Jacobs 2015-10-20 18:17:41 EDT
This rule exists after running an installation. However, it prevents traffic from leaving the SDN.

SDN ping:
nsenter -n -t 4817 -- ping 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.536 ms

non-SDN ping with rule:
[root@ose3-node1 ~]# nsenter -n -t 4817 -- ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.1.1.1 icmp_seq=1 Destination Host Prohibited


Remove rule and ping works:
[root@ose3-node1 ~]# iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@ose3-node1 ~]# 
[root@ose3-node1 ~]# nsenter -n -t 4817 -- ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=88.3 ms
Comment 1 Dan Winship 2015-10-20 18:24:45 EDT
Actually, now that I think about it, this probably ought to be fixed in openshift-sdn (and, unlike the port 4789 problem, it actually can be fixed there).
Comment 3 Johnny Liu 2015-10-27 06:37:02 EDT
Seem like this bug and BZ#1273294 have the same cause root.
Comment 4 Dan Winship 2015-10-27 14:30:31 EDT
should be fixed in origin master
Comment 5 Scott Dodson 2015-10-27 15:15:06 EDT
*** Bug 1273294 has been marked as a duplicate of this bug. ***
Comment 7 Ma xiaoqiang 2015-10-27 22:23:40 EDT
Check on puddle on [3.1/2015-10.27.1]

The iptable rules have been added. User can deploy pod successfully. Can access www.baidu.com in the pod
Comment 8 Erik M Jacobs 2015-11-04 12:58:05 EST
Doesn't appear to be working:

atomic-openshift-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64
atomic-openshift-clients-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64
atomic-openshift-master-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64
atomic-openshift-node-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64
atomic-openshift-sdn-ovs-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64
atomic-openshift-utils-3.0.6-1.git.36.3d3f287.el7aos.noarch
openshift-ansible-3.0.6-1.git.36.3d3f287.el7aos.noarch
openshift-ansible-filter-plugins-3.0.6-1.git.36.3d3f287.el7aos.noarch
openshift-ansible-lookup-plugins-3.0.6-1.git.36.3d3f287.el7aos.noarch
openshift-ansible-playbooks-3.0.6-1.git.36.3d3f287.el7aos.noarch
openshift-ansible-roles-3.0.6-1.git.36.3d3f287.el7aos.noarch
tuned-profiles-atomic-openshift-node-3.0.2.905-0.git.0.85d6f88.el7aos.x86_64


Post-installation with the quick installer, I still have:

[root@ose3-master ~]# iptables-save | grep -i reject
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Comment 9 Dan Winship 2015-11-04 13:14:06 EST
Right, the fix was to add new rules to unfirewall specific traffic:

  -A FORWARD -d ${CLUSTER_NETWORK} -j ACCEPT
  -A FORWARD -s ${CLUSTER_NETWORK} -j ACCEPT

(Previously those rules only got installed if firewalld was running. Now they're always installed.)
Comment 10 Erik M Jacobs 2015-11-04 20:38:30 EST
NVM this seems to be working. Sorry for the noise -- I didn't realize the resolution wasn't to remove that rule!
Comment 11 Brenton Leanhardt 2015-11-23 09:24:52 EST
This fix is available in OpenShift Enterprise 3.1.

Note You need to log in before you can comment on or make changes to this bug.