[Openstack] RDO: IPtables with DNAT

Brian Haley brian.haley at hpe.com
Thu Feb 4 17:59:49 UTC 2016 

On 02/04/2016 11:23 AM, Kamen Tarlov wrote:
> Sorry my previous reply wasn`t directed to the list. I`m reposting.
>
> Hello Brian,
>
> Thanks for the answer. Probably my knowledge around neutron is not sufficient to
> add DNAT address from there. But let me answer your question.
>
> When I get the machine up with private address I`m adding an ifconfig alias for
> example bond0:1 with real Ip and then setting rules for different ports to
> different VMs.

When you configured your external network and subnet in Neutron, you should have 
specified an allocation range for Floating IP addresses.  See 
http://docs.openstack.org/kilo/install-guide/install/apt/content/neutron_initial-external-network.html 
for an example.  You shouldn't need to manually add an IP address for a VM.

> '/sbin/iptables -t nat -A neutron-openvswi-PREROUTING -d {{ external_ip }} -p
> tcp --dport {{ external_ports }} -j DNAT --to-destination {{ vm.address }}:{{
> internal_ports }} '
> (well before that I was setting in PRERPOUTING chain but it was the same)
>
> So basically I would like to persist rule like this in
> neutron-openvswi-PREROUTING chain.

This will never work.  The problem is that those iptables chains and rules 
starting with 'neutron-openvswi-' are "owned" by the neutron agent.  Any time 
there is a port status change requiring a security group update, it will 
re-write everything with that prefix, throwing away whatever you put there.

> I know the other way would be to set public ip as floating but thats too much
> waste of resources for single node.
>
> This is what I`m trying to achieve, if there is any better way of doing through
> neturon API would be nice to know it.
>
> If I understand correctly if the neutron agents are down and I apply the
> iptables command the rules will be preserved after start?

Not if you are using that prefix, only for other rules you might be adding to 
other chains, like filter:INPUT.

-Brian


> On Thu, Feb 4, 2016 at 6:05 PM, Remo Mattei <Remo at italy1.com
> <mailto:Remo at italy1.com>> wrote:
>
>     I agree with Brian
>
>     Let neutron do all the work and now those rules are in the namespace.
>     Therefore I would suggest to try and let all the services do their job and
>     see it that works
>
>     Inviato da iPhone
>
>      > Il giorno 04 feb 2016, alle ore 06:56, Brian Haley <brian.haley at hpe.com
>     <mailto:brian.haley at hpe.com>> ha scritto:
>      >
>      >> On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
>      >> Hello,
>      >>
>      >> We have a single node installation with RDO Kilo release. Network
>     configuration
>      >> consist of 2 private networks and one of them is floating. Networks are
>     routed
>      >> just inside the node.  The problem I`m facing is when I try to configure the
>      >> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to
>     VM works
>      >> fine until neutron reorders the rules on top:
>      >>
>      >> Chain PREROUTING (policy ACCEPT)
>      >> target     prot opt source               destination
>      >> neutron-openvswi-PREROUTING  all  --  anywhere             anywhere
>      >> nova-api-PREROUTING  all  --  anywhere             anywhere
>      >>
>      >> Is there any way I can prevent this or set them with lower priority?
>      >
>      > I guess my first question is, why are you manually adding DNAT rules?
>     Why aren't you letting Neutron manage iptables for the VMs?  You would need
>     to give more information on the exact rule you are trying to add to help
>     make things clearer.
>      >
>      > As a rule of thumb, it's a bad idea to try and add/remove iptables rules
>     while Neutron agents are running, you will eventually find yourself in a
>     race condition where rules are missing and things don't work.  If you need
>     to add a rule I would recommend doing it before the agents are started, that
>     way it will get left alone.
>      >
>      > -Brian
>      >
>      > _______________________________________________
>      > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>      > Post to     : openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>
>      > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>      >
>      > !DSPAM:1,56b3696676807417054422!
>      >
>
>
>     _______________________________________________
>     Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>     Post to     : openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>
>     Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
> --
> Поздрави/Best Regards,
> Kamen Tarlov
> Sr. Engineer
> phone +359 894224491
> Bulgaria, Sofia

More information about the Openstack mailing list