[openstack-dev] [neutron][address-scope] Questions about l3 address scope

zhi changzhi1990 at gmail.com
Wed Mar 1 15:21:06 UTC 2017


Hi, all.

I have some questions about l3 address scope in neutron.I hope that someone
could give me some answers.

I set up a devstack environment and it uses the feature of l3 address scope
by following the document [1]. After doing those steps,  I can find some
iptables rules in namespace, showing like this:

root at devstack:~# iptables-save |grep neutron-l3-agent-scope
:neutron-l3-agent-scope - [0:0]
-A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope
-A neutron-l3-agent-scope -i qr-6d393225-2e -j MARK --set-xmark
0x4010000/0xffff0000
-A neutron-l3-agent-scope -i qr-d257abb8-e1 -j MARK --set-xmark
0x4000000/0xffff0000
-A neutron-l3-agent-scope -i qg-f64c7892-1d -j MARK --set-xmark
0x4010000/0xffff0000
:neutron-l3-agent-scope - [0:0]
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-scope -o qr-6d393225-2e -m mark ! --mark
0x4010000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-d257abb8-e1 -m mark ! --mark
0x4000000/0xffff0000 -j DROP

What does these iptables rules used for ? In my opinion, by reading these
rules, I can get some informations : any input traffic ( qr and qg devices
) will be marked and we only accept these marked traffic, isn't it?

What the purpose of the l3 address scope?

What can we benefit from l3 address scope?


Thanks
Zhi Chang

[1]:
https://docs.openstack.org/draft/networking-guide/config-address-scopes.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170301/9a8baca3/attachment.html>


More information about the OpenStack-dev mailing list