Open Stack

Hi all,

we've been doing some tests with openstack kilo and found
out a problem: iptables routes are not being injected to the
router namespace.

Scenario:
- a private network NOT connected to the outside world.
- a router with only one interface connected to the private network.
- a vm instance connected to the private network as well.

>From inside the instance, we try to get some information from the
metadata service with curl:

$ curl http://169.254.169.254
curl: (7) couldn't connect to host

With the same set up in juno, there was no such problem and
metadata information is shown.

The request is not filtered at the instance and hits the router
namespace (checked with tcpdump). However, when looking
from the controller at the iptables rules at the router, they appear
empty.

stack at devstack: ~$ sudo ip netns exec
qrouter-d4ec737a-c5fb-4f5b-8bd0-1b5353bbade3 iptables-save
# Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015
*raw
:PREROUTING ACCEPT [12:1334]
:OUTPUT ACCEPT [10:868]
COMMIT
# Completed on Tue Jan 20 14:05:48 2015
# Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015
*nat
:PREROUTING ACCEPT [10:913]
:INPUT ACCEPT [3:493]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jan 20 14:05:48 2015
# Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015
*mangle
:PREROUTING ACCEPT [12:1334]
:INPUT ACCEPT [5:914]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:868]
:POSTROUTING ACCEPT [10:868]
COMMIT
# Completed on Tue Jan 20 14:05:48 2015
# Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015
*filter
:INPUT ACCEPT [5:914]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:868]
COMMIT

Is this some problem related to the refactoring of the l3 agent?
Any pointer to what might be the problem here? I can provide
more information on the subject if necessary to reproduce this.
Any input would be appreciated.

Cheers,
Xavi