Open Stack

OK, that sounds good...

I was talking about fixed IP to floating IP SNAT, which happens on the
bridge interfaces. But if the sysctl flag only affects transiting packets,
we should be good...

-Simon

On Sat, Jul 21, 2012 at 8:15 AM, Narayan Desai <narayan.desai at gmail.com>wrote:

> On Sat, Jul 21, 2012 at 6:47 AM, Xu (Simon) Chen <xchenum at gmail.com>
> wrote:
> > Narayan,
> >
> > If you do  net.bridge.bridge-nf-call-iptables = 0 on the network
> controller,
> > does floating IP still work? For each tenant/network, a subnet is
> created,
> > and the nova-network has a .1 gateway configured on the bridge with the
> vlan
> > interface plugged in.
> >
> > The packets from VMs are actually sent to the bridge for NATting. But if
> you
> > doesn't allow the bridges to call iptables, it might break public access
> all
> > together. Don't know, maybe I'm not understanding the sysctl flag
> > correctly... Maybe it only applies to the packet transiting the bridge,
> not
> > impacting the ones destined to the nova-network?
>
> Do you mean floating (private) or fixed (public) IPs? I suspect that
> you mean fixed. Fixed IPs worked regardless of this setting.
>
> The crux of the issue was that packets transiting the bridge (ie being
> moved from vlan200 to the virtual br200) were hitting filtering rules.
> It looks to me like the sysctls only apply to traffic moving across
> the bridge (ie exactly between vlan200 and br200), but don't bypass
> iptables entirely. I don't think that should effect NAT/SNAT in any
> case.
>  -nld
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120721/096411a2/attachment.html>