<div dir="ltr"><div><div>Hi Rem:<br><br></div>I know OUTPUT in the native iptables
table is go out, but since l3agent is playing a role of router, all data
from VM to extenal network is FORWARD/PREROUTE/POSTROUT, so why does
l3agent add a neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat
table, is this chain necessary? The pkg amounts of the
neutron-l3-agent-OUTPUT rules are all zero.<br>
<br></div>p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the default table:<br><br>root@controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-<div dir="ltr">93bd-4738dff02505 iptables -L -nvx<br>Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)<div class="im">
<br>
pkts bytes target prot opt in out source destination <br></div> 2632310 633146916 neutron-l3-agent-INPUT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
<br>Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764 bytes)<div class="im"><br> pkts bytes target prot opt in out source destination <br></div>37757658 33160595764 neutron-filter-top all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
37757658 33160595764 neutron-l3-agent-FORWARD all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br><br>Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)<div class="im">
<br>
pkts bytes target prot opt in out source destination <br></div> 22916 1850560 neutron-filter-top all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
22916 1850560 neutron-l3-agent-OUTPUT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br><br>Chain neutron-filter-top (2 references)<div class="im">
<br>
pkts bytes target prot opt in out source destination <br></div>37780574 33162446324 neutron-l3-agent-local all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
<br>Chain neutron-l3-agent-FORWARD (1 references)<div class="im"><br> pkts bytes target prot opt in out source destination <br><br></div>Chain neutron-l3-agent-INPUT (1 references)<div class="im">
<br> pkts bytes target prot opt in out source destination <br></div>
0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 127.0.0.1 tcp dpt:9697<div class="im"><br><br>Chain neutron-l3-agent-OUTPUT (1 references)<br>
pkts bytes target prot opt in out source destination <br>
<br></div>Chain neutron-l3-agent-local (1 references)<div class="im"><br> pkts bytes target prot opt in out source destination <br><br></div>---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
root@controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t nat<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination <br>neutron-l3-agent-PREROUTING all -- anywhere anywhere <br>
<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br>neutron-l3-agent-OUTPUT all -- anywhere anywhere <br>
<br>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination <br>neutron-l3-agent-POSTROUTING all -- anywhere anywhere <br>neutron-postrouting-bottom all -- anywhere anywhere <br>
<br>Chain neutron-l3-agent-OUTPUT (1 references)<br>target prot opt source destination <br>DNAT all -- anywhere u20 to:100.0.0.14<br>DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11<br>
DNAT all -- anywhere u22 to:100.0.0.12<br>DNAT all -- anywhere u23 to:100.0.0.15<br>DNAT all -- anywhere u24 to:100.0.0.16<br>
DNAT all -- anywhere u1 to:100.0.0.13<br>DNAT all -- anywhere 192.168.19.138 to:100.0.0.19<br>DNAT all -- anywhere 192.168.19.139 to:100.0.0.18<br>
DNAT all -- anywhere 192.168.19.140 to:100.0.0.17<br><br>Chain neutron-l3-agent-POSTROUTING (1 references)<br>target prot opt source destination <br>ACCEPT all -- anywhere anywhere ! ctstate DNAT<br>
<br>Chain neutron-l3-agent-PREROUTING (1 references)<br>target prot opt source destination <br>REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697<br>DNAT all -- anywhere u20 to:100.0.0.14<br>
DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11<br>DNAT all -- anywhere u22 to:100.0.0.12<br>DNAT all -- anywhere u23 to:100.0.0.15<br>
DNAT all -- anywhere u24 to:100.0.0.16<br>DNAT all -- anywhere u1 to:100.0.0.13<br>DNAT all -- anywhere 192.168.19.138 to:100.0.0.19<br>
DNAT all -- anywhere 192.168.19.139 to:100.0.0.18<br>DNAT all -- anywhere 192.168.19.140 to:100.0.0.17<br><br>Chain neutron-l3-agent-float-snat (1 references)<br>target prot opt source destination <br>
SNAT all -- 100.0.0.14 anywhere to:192.168.19.133<br>SNAT all -- 100.0.0.11 anywhere to:192.168.19.134<br>SNAT all -- 100.0.0.12 anywhere to:192.168.19.135<br>
SNAT all -- 100.0.0.15 anywhere to:192.168.19.136<br>SNAT all -- 100.0.0.16 anywhere to:192.168.19.137<br>SNAT all -- 100.0.0.13 anywhere to:192.168.19.141<br>
SNAT all -- 100.0.0.19 anywhere to:192.168.19.138<br>SNAT all -- 100.0.0.18 anywhere to:192.168.19.139<br>SNAT all -- 100.0.0.17 anywhere to:192.168.19.140<br>
<br>Chain neutron-l3-agent-snat (1 references)<br>target prot opt source destination <br>neutron-l3-agent-float-snat all -- anywhere anywhere <br>SNAT all -- <a href="http://200.0.0.0/24" target="_blank">200.0.0.0/24</a> anywhere to:192.168.19.130<br>
SNAT all -- <a href="http://100.0.0.0/24" target="_blank">100.0.0.0/24</a> anywhere to:192.168.19.130<br><br>Chain neutron-postrouting-bottom (1 references)<br>target prot opt source destination <br>
neutron-l3-agent-snat all -- anywhere anywhere </div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>刘文懋<br></div><div>研究员</div><div>绿盟科技 战略研究院</div><div>地址:北京市海淀区北洼路4号益泰大厦四层</div>
<div>邮编:100089</div><div>电话:(010)68438880-8231</div><div>传真:(010)68437328</div><div>手机:13718994804</div><div>邮箱:<a href="mailto:liuwenmao@nsfocus.com" target="_blank">liuwenmao@nsfocus.com</a></div><div>网站:<a href="http://www.nsfocus.com" target="_blank">http://www.nsfocus.com</a></div>
</div></div>
<br><br><div class="gmail_quote">On Fri, Nov 22, 2013 at 1:37 PM, Remo Mattei <span dir="ltr"><<a href="mailto:Remo@mattei.org" target="_blank">Remo@mattei.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">the pre route has noting to do with going out. Packets travel from PRE to POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING and PREROUTING are part of the nat module. Default rules in iptables are INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps a little the iptables options. </div>
<div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div style="font-family:Calibri,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Ciao </div>
<div><span style="font-family:helvetica,arial;font-size:13px"></span>-- <br>Remo Mattei<br><br></div><div><div class="h5"> <br><p style="color:#a0a0a8">On November 21, 2013 at 20:33:39, Liu Wenmao (<a href="mailto://marvelliu@gmail.com" target="_blank">marvelliu@gmail.com</a>) wrote:</p>
</div></div><blockquote type="cite"><span><div><div><div><div class="h5">
<div dir="ltr">
<div>
<div>hi:<br>
<br></div>
I notice that there are two chains, neutron-l3-agent-OUTPUT and
neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of
which are the same except for the first redirect rule:<br>
<br></div>
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain,
are not the rules in neutron-l3-agent-PREROUTING(called by
PREROUTING ) sufficient when foreign hosts connect to inner
VM?<br>
<div><br>
Chain neutron-l3-agent-OUTPUT (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
0 0
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br>
Chain neutron-l3-agent-PREROUTING (1 references)<br>
pkts bytes
target prot opt in
out
source
destination <br>
0 0 REDIRECT
tcp -- *
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
169.254.169.254 tcp dpt:80 redir
ports 9697<br>
6 312
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.133
to:100.0.0.14<br>
362 18804
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.134
to:100.0.0.11<br>
7 356
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.135
to:100.0.0.12<br>
1 78
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.136
to:100.0.0.15<br>
24 1235
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.137
to:100.0.0.16<br>
14 812
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.141
to:100.0.0.13<br>
665 35774
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.138
to:100.0.0.19<br>
715 38158
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.139
to:100.0.0.18<br>
788 42206
DNAT all --
*
* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
192.168.19.140
to:100.0.0.17<br>
<br></div>
<div>Thanks<br>
<br></div>
<div>Liu Wenmao<br></div>
</div></div></div>
!DSPAM:2,528edea311935482324020!
_______________________________________________
<br>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
<br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>
<br>
<br>!DSPAM:2,528edea311935482324020!
<br></div></div></span></blockquote></div></blockquote></div><br></div>