<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }div.foxdiv20161213174351023077 { }body { font-size: 10.5pt; font-family: 微软雅黑; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>
<div><span></span>yep ...</div><div><br></div><div> I just found the security issue too. My fault , thank you ! and sorry for it.</div>
<div><br></div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">
<div><span>walterxj</span></div>
<blockquote style="margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em;"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:correajl@gmail.com">Jorge Luiz Correa</a></div><div><b>Date:</b> 2016-12-13 17:43</div><div><b>To:</b> <a href="mailto:walterxj@gmail.com">walterxj</a></div><div><b>CC:</b> <a href="mailto:openstack@lists.openstack.org">openstack</a></div><div><b>Subject:</b> Re: [Openstack] instance's provider network ip can not be accessed from outside.</div></div></div><div><div class="FoxDiv20161213174351023077"><div dir="ltr"><div>Hum, have you checked the security group rules? By default, all traffic can go out from VMs, but we need to create some rules to pass traffic from outside to VMs. <br><br></div>I'm just making a bet. Maybe this iptables rule is the rule that drop the packets when there is no rule do pass them from outside to inside. <br><br>:)<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">- JLC</div></div></div>
<br><div class="gmail_quote">On Tue, Dec 13, 2016 at 6:55 AM, walterxj <span dir="ltr"><<a href="mailto:walterxj@gmail.com" target="_blank">walterxj@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div>
<div><span></span><span style="background-color:rgba(0,0,0,0)">Hi,<br>
<br> I'm following the guide of newton with CentOS7 (<a href="http://docs.openstack.org/newton/install-guide-rdo/neutron.html" target="_blank">http://docs.openstack.org/<wbr>newton/install-guide-rdo/<wbr>neutron.html</a>) ,everything seems OK but when I ping the vm's ip (in provider network) from node(assume nodeA) on the provider physical network ,it returns unreachable.But nodeA can reach the provider network's dhcp and gateway ip. Also the vm can reach dhcp and gateway and nodeA's IP.
<br> After a long time research I found that the problem resulted in the compute-node's iptables:
<br>there is an iptables chain for each bridge,just like: -A neutron-linuxbri-i7f605f37-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback,<wbr>when I delete this chain,the vm's provider network ip can be reached! Everything works well.Is this a bug or I have misconfigured something? Any advice is appreciated !</span></div>
<div><br></div><hr style="width:210px;height:1px" size="1" align="left" color="#b5c4df"><span class="HOEnZb"><font color="#888888">
<div><span>walterxj</span></div>
</font></span></div><br>______________________________<wbr>_________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote>
</body></html>