[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same

Liu Wenmao marvelliu at gmail.com
Fri Nov 22 04:21:44 UTC 2013 

hi:

I notice that there are two chains, neutron-l3-agent-OUTPUT and
neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which
are the same except for the first redirect rule:

I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not
the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient
when foreign hosts connect to inner VM?

Chain neutron-l3-agent-OUTPUT (1 references)
    pkts      bytes target     prot opt in     out     source
destination
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.133       to:100.0.0.14
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.134       to:100.0.0.11
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.135       to:100.0.0.12
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.136       to:100.0.0.15
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.137       to:100.0.0.16
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.141       to:100.0.0.13
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.138       to:100.0.0.19
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.139       to:100.0.0.18
       0        0 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-PREROUTING (1 references)
    pkts      bytes target     prot opt in     out     source
destination
       0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0
169.254.169.254      tcp dpt:80 redir ports 9697
       6      312 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.133       to:100.0.0.14
     362    18804 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.134       to:100.0.0.11
       7      356 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.135       to:100.0.0.12
       1       78 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.136       to:100.0.0.15
      24     1235 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.137       to:100.0.0.16
      14      812 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.141       to:100.0.0.13
     665    35774 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.138       to:100.0.0.19
     715    38158 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.139       to:100.0.0.18
     788    42206 DNAT       all  --  *      *       0.0.0.0/0
192.168.19.140       to:100.0.0.17

Thanks

Liu Wenmao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131122/91b035e1/attachment.html>

More information about the Openstack mailing list