[Openstack] Weird nova-network bridging problem with precise/essex
Narayan Desai
narayan.desai at gmail.com
Sat Jul 21 12:15:44 UTC 2012
On Sat, Jul 21, 2012 at 6:47 AM, Xu (Simon) Chen <xchenum at gmail.com> wrote:
> Narayan,
>
> If you do net.bridge.bridge-nf-call-iptables = 0 on the network controller,
> does floating IP still work? For each tenant/network, a subnet is created,
> and the nova-network has a .1 gateway configured on the bridge with the vlan
> interface plugged in.
>
> The packets from VMs are actually sent to the bridge for NATting. But if you
> doesn't allow the bridges to call iptables, it might break public access all
> together. Don't know, maybe I'm not understanding the sysctl flag
> correctly... Maybe it only applies to the packet transiting the bridge, not
> impacting the ones destined to the nova-network?
Do you mean floating (private) or fixed (public) IPs? I suspect that
you mean fixed. Fixed IPs worked regardless of this setting.
The crux of the issue was that packets transiting the bridge (ie being
moved from vlan200 to the virtual br200) were hitting filtering rules.
It looks to me like the sysctls only apply to traffic moving across
the bridge (ie exactly between vlan200 and br200), but don't bypass
iptables entirely. I don't think that should effect NAT/SNAT in any
case.
-nld
More information about the Openstack
mailing list