Open Stack

On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
> Hello,
>
> We have a single node installation with RDO Kilo release. Network configuration
> consist of 2 private networks and one of them is floating. Networks are routed
> just inside the node.  The problem I`m facing is when I try to configure the
> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to VM works
> fine until neutron reorders the rules on top:
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> neutron-openvswi-PREROUTING  all  --  anywhere             anywhere
> nova-api-PREROUTING  all  --  anywhere             anywhere
>
> Is there any way I can prevent this or set them with lower priority?

I guess my first question is, why are you manually adding DNAT rules?  Why 
aren't you letting Neutron manage iptables for the VMs?  You would need to give 
more information on the exact rule you are trying to add to help make things 
clearer.

As a rule of thumb, it's a bad idea to try and add/remove iptables rules while 
Neutron agents are running, you will eventually find yourself in a race 
condition where rules are missing and things don't work.  If you need to add a 
rule I would recommend doing it before the agents are started, that way it will 
get left alone.

-Brian