Re: neutron's OVS based VXLAN seems to be unable to access the network

7 May 2024

      Sorry, this went to my spam folder.

On 4/29/24 7:15 PM, 2292613444@qq.com wrote:
...
Dear Brian Haley
I found several blocking rules in the namespace of the router.
I tried to clean it up, (CMD: iptables - F)
However, the current situation remains unchanged.
Could you please tell me again what I can do.
Thank you
...
From SAM
##cmd,start
root@controller:~# ip netns
qrouter-48610214-6030-4e7e-8fe8-c60241e7c89c (id: 2)
qdhcp-2aa854ba-7fa6-43e4-989e-e97dafd777ee (id: 0)
qdhcp-c7d9811d-1fcc-4aee-8f01-6f556fb56044 (id: 1)
root@controller:~# ip netns exec qrouter-48610214-6030-4e7e-8fe8-c60241e7c89c bash
root@controller:~#
All the rules below beginning with 'neutron' were added by the 
neutron-l3-agent. They should not be modified and unfortunately removing 
them will just make things worse. If you restart that agent they should 
get re-created.

The important table for metadata would be the 'nat' table, as it will 
show the redirect rules. If you just use 'iptables-save -c' you will see 
all the tables as well as the packet counts for each chain.

-Brian
...
root@controller:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-l3-agent-INPUT  all  --  anywhere             anywhere
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-l3-agent-FORWARD  all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere
Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-l3-agent-local  all  --  anywhere             anywhere
Chain neutron-l3-agent-FORWARD (1 references)
target     prot opt source               destination
neutron-l3-agent-scope  all  --  anywhere             anywhere
Chain neutron-l3-agent-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             mark match 0x1/0xffff
DROP       tcp  --  anywhere             anywhere             tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination
Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination
Chain neutron-l3-agent-scope (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             mark match ! 0x4000000/0xffff0000
##(clear rule)
root@controller:~# iptables -F
root@controller:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain neutron-filter-top (0 references)
target     prot opt source               destination
Chain neutron-l3-agent-FORWARD (0 references)
target     prot opt source               destination
Chain neutron-l3-agent-INPUT (0 references)
target     prot opt source               destination
Chain neutron-l3-agent-OUTPUT (0 references)
target     prot opt source               destination
Chain neutron-l3-agent-local (0 references)
target     prot opt source               destination
Chain neutron-l3-agent-scope (0 references)
target     prot opt source               destination
##cmd,stop