[openstack-dev] [neutron] packet forwarding

Abbass MAROUNI abbass.marouni at virtualscale.fr
Mon Dec 23 14:26:52 UTC 2013

Hello Ian,

Found some anti-spoofing rules in the ebtables (ebtables -t nat -L) of the
compute-host where my router VM is located. These rules are automatically
generated by libvirt for each VM and are usually generated from a preset of
rules (anti-ip-spoofing.xml). Disabling this rule didn't help as I found
later that there are some iptables chains also on the compute host that did
some anti-spoofing filtering (iptables -t filter -L).
So one need to disable the libvirt anti-ip-spoofing and the iptables
I disabled the libvirt anti-ip-spoofing by removing the filter from
nova-base (virsh nwfilter-edit nova-base) and manually added a rule to

Thanks a lot.

> Randy has it spot on.  The antispoofing rules prevent you from doing this
> in Neutron.  Clearly a router transmits traffic that isn't from it, and
> receives traffic that isn't addressed to it - and the port filtering
> discards them.
> You can disable them for the entire cloud by judiciously tweaking the Nova
> config settings, or if you're using the Nicira plugin you'll find it has
> extensions for modifying firewall behaviour (they could do with porting
> around, or even becoming core, but at the moment they're Nicira-specific).
> --
> Ian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131223/8ab41a4b/attachment.html>

More information about the OpenStack-dev mailing list