[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same
Remo Mattei
Remo at Mattei.org
Fri Nov 22 05:37:24 UTC 2013
the pre route has noting to do with going out. Packets travel from PRE to POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING and PREROUTING are part of the nat module. Default rules in iptables are INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps a little the iptables options.
Ciao
--
Remo Mattei
On November 21, 2013 at 20:33:39, Liu Wenmao (marvelliu at gmail.com) wrote:
hi:
I notice that there are two chains, neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which are the same except for the first redirect rule:
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient when foreign hosts connect to inner VM?
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
6 312 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
362 18804 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
7 356 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
1 78 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
24 1235 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
14 812 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
665 35774 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
715 38158 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
788 42206 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Thanks
Liu Wenmao
!DSPAM:2,528edea311935482324020! _______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:2,528edea311935482324020!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131121/c0be3c83/attachment.html>
More information about the Openstack
mailing list