[Openstack] Disabling NAT

Jian Wen jian.wen at canonical.com
Thu Jan 10 03:49:04 UTC 2013


On 2013年01月09日 23:05, Joe Warren-Meeks wrote:
> Hi Jian,
>
> Firstly, thanks for your time helping me with this, it is much
> appreciated.
>
> I've probably misunderstood your answer, but currently whenever a new
> instance is booted or a floating IP is added or removed, the SNAT rule
> I want removed comes back. I'd like to stop that rule ever coming back. 
>
> I'm about to dig into the python to try to find where it get reset,
> but any pointers you could offer would be greatly appreciated!
>
>  -- joe.
>
>
>
> On 9 January 2013 14:34, Jian Wen <jian.wen at canonical.com
> <mailto:jian.wen at canonical.com>> wrote:
>
>     On 2013年01月09日 21:58, Joe Warren-Meeks wrote:
>>     Hi guys,
>>
>>     I've managed to disable NAT by deleting the correct rule. This
>>     means all my instances are properly routable no, which is exactly
>>     what I want.
>>
>>     To do this, I'm using 
>>
>>     iptables -vnL -t nat --line-numbers 
>>
>>     to get the rule number from the nova-network-snat chain and
>>     deleting it using:
>>
>>     iptables -t nat -D nova-network-snat <num>
>>
>>     My question is when and where are those snat rules created, so
>>     that I can prevent them from being setup in the first place.
>>
>>     Kind regards
>>
>>      -- joe.
>>
>>
>>
>>     _______________________________________________
>>     Mailing list: https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
>>     Post to     : openstack at lists.launchpad.net <mailto:openstack at lists.launchpad.net>
>>     Unsubscribe : https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
>>     More help   : https://help.launchpad.net/ListHelp
>     1. delete all floating ips
>          allocate a floating ip to instance will create a SNAT rule
>     and 2 DNAT rules.
>     2. iptables -t nat -I nova-network-float-snat -j RETURN
>         avoid the shared SNAT rule
>
-I Insert rule in the nova-network-float-snat chain as the first rule.
-j RETURN means stop traversing this chain and resume at the next rule
in the previous (calling) chain.

iptables -t nat -I nova-network-snat -j RETURN
No need to exec `iptables -t nat -I nova-network-float-snat -j RETURN`,
sorry for the quick reply.
After this command, SNAT rule created but will not be used at all. 
The result of  ping 8.8.8.8 will be 100% packet loss

You don't have to touch the code.
nova/nova/network/linux_net.py
nova/nova/network/l3.py
>
>     -- 
>     Jian Wen
>     Software Engineer, Services and Support Team
>     Canonical, Ltd
>
>
>     _______________________________________________
>     Mailing list: https://launchpad.net/~openstack
>     <https://launchpad.net/%7Eopenstack>
>     Post to     : openstack at lists.launchpad.net
>     <mailto:openstack at lists.launchpad.net>
>     Unsubscribe : https://launchpad.net/~openstack
>     <https://launchpad.net/%7Eopenstack>
>     More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Jian Wen
Software Engineer, Services and Support Team
Canonical, Ltd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130110/dc609163/attachment.html>


More information about the Openstack mailing list