Open Stack

On 5/14/15 12:55 PM, Antonio Messina wrote:
> On Thu, May 14, 2015 at 6:19 PM, Andrew Bogott <abogott at wikimedia.org> wrote:
>> OK, we've made some progress with this -- the solution seems to involve
>> changing my dmz_cidr setting and switching our bridge to promiscuous mode.
> I don't have any dmz_cidr option in my nova.conf, so I don't know if
> it's relevant.
>
> My bridges, instead, are all in promiscuous mode (I forgot about
> that). I don't remember the details but I kind of remember it was needed.
>
>> However -- I'm now unclear on whether this will fix all routing, or just
>> routing between instances that have floating IPs assigned (I have lots of
>> both.)  Antonio, do all cases work?  Or do you have floating ips assigned to
>> everything?
> I'm pretty sure it will not work if the source VM doesn't have a
> floating IP. The problem is, I think, that SNAT is usually performed
> only to packets leaving the controller node on the public interface:
Argh!  OK, that means that 'fixing' this issue will only make behavior 
less consistent for my users.  I guess I have to fix this in DNS instead :(


>      iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o eth3 -j
> SNAT --to-source <public-ip-of-controller>
>
> (this is the SNAT rule I have on my controller)
>
> therefore, a packet
>
>    <fixed-ip-vm-A> => <floating-ip-vm-B>
>
> is rewritten with a DNAT only, becoming:
>
>    <fixed-ip-vm-A> => <fixed-ip-vm-B>
>
> This packet will reach vm-B that will answer with
>
>    <fixed-ip-vm-B> => <fixed-ip-vm-A>
>
> which is not recognized by vm-B as part of any connection it
> initiated.
>
> Maybe you could try to manually add an additional rule like:
>
>      iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o br100 -j
> SNAT --to-source <public-ip-of-controller>
>
> but I don't know if I'm missing something. Last time I had to fix this
> I spent some time with pen and paper trying to sketch the flow of
> packets through the iptables rules :)
>
> .a.
>