[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same
Remo Mattei
Remo at Mattei.org
Fri Nov 22 05:38:48 UTC 2013
just one more thing to add,
DNAT just says if a machine with an ip of 192.xxxx it will be recognized as 100.0.0.14 seems like you have floating ip address associated with them.
--
Remo Mattei
On November 21, 2013 at 20:33:39, Liu Wenmao (marvelliu at gmail.com) wrote:
hi:
I notice that there are two chains, neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which are the same except for the first redirect rule:
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient when foreign hosts connect to inner VM?
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
6 312 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
362 18804 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
7 356 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
1 78 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
24 1235 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
14 812 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
665 35774 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
715 38158 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
788 42206 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Thanks
Liu Wenmao
!DSPAM:2,528edea311935482324020! _______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:2,528edea311935482324020!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131121/27e9ad5f/attachment.html>
More information about the Openstack
mailing list