[openstack-dev] [neutron][address-scope] Questions about l3 address scope

Kevin Benton kevin at benton.pub
Thu Mar 2 18:54:37 UTC 2017


Address scopes allow traffic to go across a router without performing any
NAT. The rules you see there ensure that traffic isn't routed directly if
it crosses from one address scope to another.

On Wed, Mar 1, 2017 at 7:21 AM, zhi <changzhi1990 at gmail.com> wrote:

> Hi, all.
>
> I have some questions about l3 address scope in neutron.I hope that
> someone could give me some answers.
>
> I set up a devstack environment and it uses the feature of l3 address
> scope by following the document [1]. After doing those steps,  I can find
> some iptables rules in namespace, showing like this:
>
> root at devstack:~# iptables-save |grep neutron-l3-agent-scope
> :neutron-l3-agent-scope - [0:0]
> -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope
> -A neutron-l3-agent-scope -i qr-6d393225-2e -j MARK --set-xmark
> 0x4010000/0xffff0000
> -A neutron-l3-agent-scope -i qr-d257abb8-e1 -j MARK --set-xmark
> 0x4000000/0xffff0000
> -A neutron-l3-agent-scope -i qg-f64c7892-1d -j MARK --set-xmark
> 0x4010000/0xffff0000
> :neutron-l3-agent-scope - [0:0]
> -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
> -A neutron-l3-agent-scope -o qr-6d393225-2e -m mark ! --mark
> 0x4010000/0xffff0000 -j DROP
> -A neutron-l3-agent-scope -o qr-d257abb8-e1 -m mark ! --mark
> 0x4000000/0xffff0000 -j DROP
>
> What does these iptables rules used for ? In my opinion, by reading these
> rules, I can get some informations : any input traffic ( qr and qg devices
> ) will be marked and we only accept these marked traffic, isn't it?
>
> What the purpose of the l3 address scope?
>
> What can we benefit from l3 address scope?
>
>
> Thanks
> Zhi Chang
>
> [1]: https://docs.openstack.org/draft/networking-guide/
> config-address-scopes.html
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170302/49625aeb/attachment.html>


More information about the OpenStack-dev mailing list