[openstack-dev] [neutron] Implement NAPT in neutron (https://blueprints.launchpad.net/neutron/+spec/neutron-napt-api)

Martinx - ジェームズ thiagocmartinsc at gmail.com
Thu Jan 9 08:27:09 UTC 2014


>From a operator point of view, I think that it would be nice to give to the
FWaaS (IPv4 flavor), the ability to manage the tenant's NAT table, not only
the "filter table", as it is today.

If fact, I don't know if it is out of the scope of FWaaS or not, it is just
an idea I had. Because right now, I need to create the so called "NAT
Instance", with a Floating IPv4 attached to it, with a DNAT rule for each
"internal" service that I need to open to the Internet... It is terrible
BTW but, it is the "IPv4-thinking"... (Can't wait for IPv6 in IceHouse to
kiss NAT goodbye!)... Today, each tenant must have at least, two valid IPs
(v4), one for the router's gateway and another to the "NAT Instance"
(because FWaaS (or something else) doesn't handle the Tenant
Router/Namespace NAT table).

So, if the Tenant can manage its own Firewall-IPv4-NAT table, there at its
own Namespace Router, then, each will require only 1 valid "Floating IPv4",
the one that come when he connects its router, with the External Network
(from allocation pool anyway)... Less waste of valid IPv4.


On 8 January 2014 13:36, Dong Liu <willowd878 at gmail.com> wrote:

> 在 2014年1月8日,20:24,Nir Yechiel <nyechiel at redhat.com> 写道:
> Hi Dong,
> Can you please clarify this blueprint? Currently in Neutron, If an
> instance has a floating IP, then that will be used for both inbound and
> outbound traffic. If an instance does not have a floating IP, it can make
> connections out using the gateway IP (SNAT using PAT/NAT Overload). Does
> the idea in this blueprint is to implement PAT on both directions using
> only the gateway IP? Also, did you see this one [1]?
> Thanks,
> Nir
> [1] https://blueprints.launchpad.net/neutron/+spec/router-port-forwarding
> I think my idea is duplicated with this one.
> https://blueprints.launchpad.net/neutron/+spec/access-vms-via-port-mapping
> Sorry for missing this.
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140109/4fe821ac/attachment.html>

More information about the OpenStack-dev mailing list