<html><head><style>*{font-family:Calibri,Arial;}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">just one more thing to add, </div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Calibri,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">DNAT just says if a machine with an ip of 192.xxxx it will be recognized as 100.0.0.14 seems like you have floating ip address associated with them. </div> <div id="bloop_sign_1385098679125533184"><span style="font-family:helvetica,arial;font-size:13px"></span>-- <br>Remo Mattei<br><br></div> <br><p style="color:#A0A0A8;">On November 21, 2013 at 20:33:39, Liu Wenmao (<a href="mailto://marvelliu@gmail.com">marvelliu@gmail.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div>
<title></title>
<div dir="ltr">
<div>
<div>hi:<br>
<br></div>
I notice that there are two chains, neutron-l3-agent-OUTPUT and
neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of
which are the same except for the first redirect rule:<br>
<br></div>
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain,
are not the rules in neutron-l3-agent-PREROUTING(called by
PREROUTING ) sufficient when foreign hosts connect to inner
VM?<br>
<div><br>
Chain neutron-l3-agent-OUTPUT (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br>
Chain neutron-l3-agent-PREROUTING (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0 REDIRECT
tcp -- *
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
169.254.169.254 tcp dpt:80 redir
ports 9697<br>
6 312
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
362 18804
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
7 356
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
1 78
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
24 1235
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
14 812
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
665 35774
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
715 38158
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
788 42206
DNAT all --
*
* <a href="http://0.0.0.0/0">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br></div>
<div>Thanks<br>
<br></div>
<div>Liu Wenmao<br></div>
</div>
!DSPAM:2,528edea311935482324020!
_______________________________________________
<br>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
<br>Post to : openstack@lists.openstack.org
<br>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
<br>
<br>
<br>!DSPAM:2,528edea311935482324020!
<br></div></div></span></blockquote></body></html>