<div dir="ltr">Sorry my previous reply wasn`t directed to the list. I`m reposting.<div><br></div><div><span style="font-size:12.8px">Hello Brian, </span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Thanks for the answer. Probably my knowledge around neutron is not sufficient to add DNAT address from there. But let me answer your question.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">When I get the machine up with private address I`m adding an ifconfig alias for example bond0:1 with real Ip and then setting rules for different ports to different VMs.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">'/sbin/iptables -t nat -A neutron-openvswi-PREROUTING -d {{ external_ip }} -p tcp --dport {{ external_ports }} -j DNAT --to-destination {{ vm.address }}:{{ internal_ports }} '</span><br style="font-size:12.8px"><span style="font-size:12.8px">(well before that I was setting in PRERPOUTING chain but it was the same)</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">So basically I would like to persist rule like this in neutron-openvswi-PREROUTING chain.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">I know the other way would be to set public ip as floating but thats too much waste of resources for single node.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">This is what I`m trying to achieve, if there is any better way of doing through neturon API would be nice to know it.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">If I understand correctly if the neutron agents are down and I apply the iptables command the rules will be preserved after start?</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Thanks,</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Best regards,</span><br style="font-size:12.8px"><span style="font-size:12.8px">Kamen</span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 4, 2016 at 6:05 PM, Remo Mattei <span dir="ltr"><<a href="mailto:Remo@italy1.com" target="_blank">Remo@italy1.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I agree with Brian<br>
<br>
Let neutron do all the work and now those rules are in the namespace. Therefore I would suggest to try and let all the services do their job and see it that works<br>
<br>
Inviato da iPhone<br>
<div><div class="h5"><br>
> Il giorno 04 feb 2016, alle ore 06:56, Brian Haley <<a href="mailto:brian.haley@hpe.com">brian.haley@hpe.com</a>> ha scritto:<br>
><br>
>> On 02/04/2016 07:05 AM, Kamen Tarlov wrote:<br>
>> Hello,<br>
>><br>
>> We have a single node installation with RDO Kilo release. Network configuration<br>
>> consist of 2 private networks and one of them is floating. Networks are routed<br>
>> just inside the node. The problem I`m facing is when I try to configure the<br>
>> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to VM works<br>
>> fine until neutron reorders the rules on top:<br>
>><br>
>> Chain PREROUTING (policy ACCEPT)<br>
>> target prot opt source destination<br>
>> neutron-openvswi-PREROUTING all -- anywhere anywhere<br>
>> nova-api-PREROUTING all -- anywhere anywhere<br>
>><br>
>> Is there any way I can prevent this or set them with lower priority?<br>
><br>
> I guess my first question is, why are you manually adding DNAT rules? Why aren't you letting Neutron manage iptables for the VMs? You would need to give more information on the exact rule you are trying to add to help make things clearer.<br>
><br>
> As a rule of thumb, it's a bad idea to try and add/remove iptables rules while Neutron agents are running, you will eventually find yourself in a race condition where rules are missing and things don't work. If you need to add a rule I would recommend doing it before the agents are started, that way it will get left alone.<br>
><br>
> -Brian<br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
</div></div>> !DSPAM:1,56b3696676807417054422!<br>
<div class="HOEnZb"><div class="h5">><br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div>Поздрави/Best Regards,</div>
<div> </div>
<div>Kamen Tarlov</div><div>Sr. Engineer<br>phone +359 894224491<br>Bulgaria, Sofia</div></div></div></div>
</div>