SYN packet is not tracked by netfilter_conntrack and dropped when the RST returns
Issue
-
When placing the VM's on the same compute node. the SYN packet is not tracked by the netfilter_conntrack and when the RST packet returns it is not related to any existing flow and hence dropped.
-
Steps to Reproduce:
- deployed two intances with default sec group.
- Flushed iptables on both instances.
- From source vm: addr:192.168.22.4
[cloud-user@host00 ~]$ telnet 192.168.22.3 56699
Trying 192.168.22.3...
[cloud-user@host00 ~]$ sudo tcpdump -vv -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
====
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xc62e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692742282 ecr 0,nop,wscale 7], length 0
====
on destination instance:
[cloud-user@host12 ~]$ sudo tcpdump -v -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
=====
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 3646210919, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0
From hypervisor:
[root@dell-per210-4 ~]# iptables -nvL|grep -i 'Chain neutron-openvswi-i6272f76d-d' -A 2
Chain neutron-openvswi-i6272f76d-d (1 references)
pkts bytes target prot opt in out source destination
5 200 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Environment
- Red Hat Open Stack
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.