[openstack-dev] [neutron] packet forwarding
abbass.marouni at virtualscale.fr
Mon Dec 23 14:26:52 UTC 2013
Found some anti-spoofing rules in the ebtables (ebtables -t nat -L) of the
compute-host where my router VM is located. These rules are automatically
generated by libvirt for each VM and are usually generated from a preset of
rules (anti-ip-spoofing.xml). Disabling this rule didn't help as I found
later that there are some iptables chains also on the compute host that did
some anti-spoofing filtering (iptables -t filter -L).
So one need to disable the libvirt anti-ip-spoofing and the iptables
I disabled the libvirt anti-ip-spoofing by removing the filter from
nova-base (virsh nwfilter-edit nova-base) and manually added a rule to
Thanks a lot.
> Randy has it spot on. The antispoofing rules prevent you from doing this
> in Neutron. Clearly a router transmits traffic that isn't from it, and
> receives traffic that isn't addressed to it - and the port filtering
> discards them.
> You can disable them for the entire cloud by judiciously tweaking the Nova
> config settings, or if you're using the Nicira plugin you'll find it has
> extensions for modifying firewall behaviour (they could do with porting
> around, or even becoming core, but at the moment they're Nicira-specific).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev