SYN packet is not tracked by netfilter_conntrack and dropped when the RST returns
Issue
-
When placing the VM's on the same compute node. the SYN packet is not tracked by the netfilter_conntrack and when the RST packet returns it is not related to any existing flow and hence dropped.
-
Steps to Reproduce:
- deployed two intances with default sec group.
- Flushed iptables on both instances.
- From source vm: addr:192.168.22.4
[cloud-user@host00 ~]$ telnet 192.168.22.3 56699
Trying 192.168.22.3...
[cloud-user@host00 ~]$ sudo tcpdump -vv -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
====
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xc62e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692742282 ecr 0,nop,wscale 7], length 0
====
on destination instance:
[cloud-user@host12 ~]$ sudo tcpdump -v -i eth0 |grep -i 56699
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
=====
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0x00c7 (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692727282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 3646210919, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xfcde (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692728282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xf50e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692730282 ecr 0,nop,wscale 7], length 0
host-192-168-22-3.openstacklocal.56699 > host-192-168-22-4.openstacklocal.36709: Flags [R.], cksum 0xf8da (correct), seq 0, ack 1, win 0, length 0
host-192-168-22-4.openstacklocal.36709 > host-192-168-22-3.openstacklocal.56699: Flags [S], cksum 0xe56e (correct), seq 3646210918, win 14600, options [mss 1460,sackOK,TS val 692734282 ecr 0,nop,wscale 7], length 0
From hypervisor:
[root@dell-per210-4 ~]# iptables -nvL|grep -i 'Chain neutron-openvswi-i6272f76d-d' -A 2
Chain neutron-openvswi-i6272f76d-d (1 references)
pkts bytes target prot opt in out source destination
5 200 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Environment
- Red Hat Open Stack
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.