[openstack-dev] [Neutron] How to set port_filter in port binding?

Rossella Sblendido rsblendido at suse.com
Tue Sep 30 10:50:39 UTC 2014


Hi Alex,

a spoof filter is set by default to avoid that a VM can send packets
whose source address is different from the VM's address. There's no
option to change that.

cheers,

Rossella

On 09/25/2014 10:59 PM, Alexandre Levine wrote:
> Hi All,
> 
> I'm looking for a way to set port_filter flag to False for port binding.
> Is there a way to do this in IceHouse or in current Juno code? I use
> devstack with the default ML2 plugin and configuration.
> 
> According to this guide
> (http://docs.openstack.org/api/openstack-network/2.0/content/binding_ext_ports.html)
> it should be done via binding:profile but it gets only recorded in the
> dictionary of binding:profile and doesn't get reflected in vif_details
> as supposed to.
> 
> I tried to find any code in Neutron that can potentially do this
> transferring from incoming binding:profile into binding:vif_details and
> found none.
> 
> I'd be very grateful if anybody can point me in the right direction.
> 
> And by the by the reason I'm trying to do this is because I want to use
> one instance as NAT for another one in private subnet. As a result of
> ping 8.8.8.8 from private instance to NAT instance the reply gets
> Dropped by the security rule in iptables on TAP interface of NAT
> instance because the source is different from the NAT instance IP. So I
> suppose that port_filter is responsible for this behavior and will
> remove this restriction in iptables.
> 
> Best regards,
>   Alex Levine
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 



More information about the OpenStack-dev mailing list