[Openstack-operators] error applying iptables rules openvswitch

Pedro Sousa pgsousa at gmail.com
Fri May 8 17:58:17 UTC 2015 

Hi all,

I'm trying to apply floating ips to my instances but I cannot connect to
them, I can however ping my router 192.168.100.1. Looking at the rules I
see that the floating ip rules are being applied only for my router, I
should have nat rules for the remaining ips, look bellow.

[root at compute03 ~]# ip netns exec
qrouter-7660497d-ecad-41d0-b6a9-2e8e268b8b05 iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-f8ca9462-58 ! -o qg-f8ca9462-58 -m
conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.20.0/24 -j SNAT --to-source 192.168.100.1
-A neutron-postrouting-bottom -j neutron-l3-agent-snat


Looking at openvswitch logs I see this:


2015-05-08 18:49:40.702 4576 ERROR neutron.agent.linux.utils
[req-39e10a37-f8f9-44b3-8625-9ef80427f4c8 None]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf',
'iptables-restore', '-c']
Exit code: 1
Stdout: ''
Stderr: 'iptables-restore: line 37 failed\n'
2015-05-08 18:49:40.703 4576 ERROR neutron.agent.linux.iptables_manager
[req-39e10a37-f8f9-44b3-8625-9ef80427f4c8 None] IPTablesManager.apply
failed to apply the following set of iptables rules:
     33. :INPUT ACCEPT [1857:623264]
     34. :FORWARD ACCEPT [279:20488]
     35. :OUTPUT ACCEPT [2040:428982]
     36. COMMIT
     37. :neutron-filter-top - [0:0]
     38. :neutron-openvswi-FORWARD - [0:0]
     39. :neutron-openvswi-INPUT - [0:0]
     40. :neutron-openvswi-OUTPUT - [0:0]
     41. :neutron-openvswi-i09e357b7-2 - [0:0]
     42. :neutron-openvswi-i21466de5-1 - [0:0]

Can anybody help to figure out this issue? Is it a bug or something?

I use CentOS 7, Juno with Neutron HA.

Thanks,
Pedro Sousa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150508/2f63eeb7/attachment.html>

More information about the OpenStack-operators mailing list