Open Stack

Hi,

Security groups driver in Neutron is not doing any „magic” with iptables. All what is done there is implemented by iptables rules. So I think You should turn on security groups again and then dump all iptables rule, e.g. with „iptables-save” command and check what is blocking Your packets.
You can also use „iptables -nvL” command to display number of packets going through each of rules - then You can easily find where You packets are dropped if You don’t have a lot of different traffic on this host :)

> Wiadomość napisana przez 陈炤 <qishiyexu2 at 126.com> w dniu 25.11.2018, o godz. 08:00:
> 
> Hi,
> 
> I am building an openstack all-in-one environment in a CentOS7.4 machine. For some reason I have only one network interface(eth0) and one ip address, so I created a linux bridge(br0), and forwarded datas to eth0 using iptables command:
> 
> iptables -t nat -A POSTROUTING -s {bridge virtual ip} -j SNAT --to {eth0 ip}
> 
> But it seems not work.
> 
> When I ping to 8.8.8.8 from br0 and run tcpdump, I can see that datas can be forwared to eth0 and be sent to 8.8.8.8, but when datas are sent back to eth0, they can not be forwarded to br0.
> 
> Ip forwarding, net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tablesare set to 1.
> 
> If I close security group by setting securitygroup = false, this rule works fine, but if I use iptables -F  instead, the rule is not work. Does the securitygroup have a magic to trap iptables?
> 
> BR
> 
> Don
> 
> 
> 
>  
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

— 
Slawek Kaplonski
Senior software engineer
Red Hat