[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same

Liu Wenmao marvelliu at gmail.com
Mon Nov 25 05:38:52 UTC 2013


Hi Rem:

I know OUTPUT in the native iptables table is go out, but since l3agent is
playing a role of router, all data from VM to extenal network is
FORWARD/PREROUTE/POSTROUT, so why does l3agent add a
neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat table, is this chain
necessary? The pkg amounts of the neutron-l3-agent-OUTPUT rules are all
zero.

p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the default
table:

root at controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-
93bd-4738dff02505 iptables -L  -nvx
Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)

    pkts      bytes target     prot opt in     out     source
destination
 2632310 633146916 neutron-l3-agent-INPUT  all  --  *      *
0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764 bytes)

    pkts      bytes target     prot opt in     out     source
destination
37757658 33160595764 neutron-filter-top  all  --  *      *
0.0.0.0/0
0.0.0.0/0
37757658 33160595764 neutron-l3-agent-FORWARD  all  --  *      *
0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)

    pkts      bytes target     prot opt in     out     source
destination
   22916  1850560 neutron-filter-top  all  --  *      *
0.0.0.0/0
0.0.0.0/0
   22916  1850560 neutron-l3-agent-OUTPUT  all  --  *      *
0.0.0.0/0
0.0.0.0/0

Chain neutron-filter-top (2 references)

    pkts      bytes target     prot opt in     out     source
destination
37780574 33162446324 neutron-l3-agent-local  all  --  *      *
0.0.0.0/0            0.0.0.0/0

Chain neutron-l3-agent-FORWARD (1 references)

    pkts      bytes target     prot opt in     out     source
destination

Chain neutron-l3-agent-INPUT (1 references)

    pkts      bytes target     prot opt in     out     source
destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0
127.0.0.1            tcp dpt:9697


Chain neutron-l3-agent-OUTPUT (1 references)
    pkts      bytes target     prot opt in     out     source
destination

Chain neutron-l3-agent-local (1 references)

    pkts      bytes target     prot opt in     out     source
destination

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
root at controller:~# ip netns exec
qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
neutron-l3-agent-PREROUTING  all  --  anywhere
anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
neutron-l3-agent-POSTROUTING  all  --  anywhere
anywhere
neutron-postrouting-bottom  all  --  anywhere
anywhere

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination
DNAT       all  --  anywhere             u20                  to:100.0.0.14
DNAT       all  --  anywhere             git.expr.nsfocus     to:100.0.0.11
DNAT       all  --  anywhere             u22                  to:100.0.0.12
DNAT       all  --  anywhere             u23                  to:100.0.0.15
DNAT       all  --  anywhere             u24                  to:100.0.0.16
DNAT       all  --  anywhere             u1                   to:100.0.0.13
DNAT       all  --  anywhere             192.168.19.138       to:100.0.0.19
DNAT       all  --  anywhere             192.168.19.139       to:100.0.0.18
DNAT       all  --  anywhere             192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-POSTROUTING (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             169.254.169.254      tcp dpt:http
redir ports 9697
DNAT       all  --  anywhere             u20                  to:100.0.0.14
DNAT       all  --  anywhere             git.expr.nsfocus     to:100.0.0.11
DNAT       all  --  anywhere             u22                  to:100.0.0.12
DNAT       all  --  anywhere             u23                  to:100.0.0.15
DNAT       all  --  anywhere             u24                  to:100.0.0.16
DNAT       all  --  anywhere             u1                   to:100.0.0.13
DNAT       all  --  anywhere             192.168.19.138       to:100.0.0.19
DNAT       all  --  anywhere             192.168.19.139       to:100.0.0.18
DNAT       all  --  anywhere             192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  100.0.0.14           anywhere
to:192.168.19.133
SNAT       all  --  100.0.0.11           anywhere
to:192.168.19.134
SNAT       all  --  100.0.0.12           anywhere
to:192.168.19.135
SNAT       all  --  100.0.0.15           anywhere
to:192.168.19.136
SNAT       all  --  100.0.0.16           anywhere
to:192.168.19.137
SNAT       all  --  100.0.0.13           anywhere
to:192.168.19.141
SNAT       all  --  100.0.0.19           anywhere
to:192.168.19.138
SNAT       all  --  100.0.0.18           anywhere
to:192.168.19.139
SNAT       all  --  100.0.0.17           anywhere
to:192.168.19.140

Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination
neutron-l3-agent-float-snat  all  --  anywhere
anywhere
SNAT       all  --  200.0.0.0/24         anywhere
to:192.168.19.130
SNAT       all  --  100.0.0.0/24         anywhere
to:192.168.19.130

Chain neutron-postrouting-bottom (1 references)
target     prot opt source               destination
neutron-l3-agent-snat  all  --  anywhere             anywhere

刘文懋
研究员
绿盟科技 战略研究院
地址:北京市海淀区北洼路4号益泰大厦四层
邮编:100089
电话:(010)68438880-8231
传真:(010)68437328
手机:13718994804
邮箱:liuwenmao at nsfocus.com
网站:http://www.nsfocus.com


On Fri, Nov 22, 2013 at 1:37 PM, Remo Mattei <Remo at mattei.org> wrote:

> the pre route has noting to do with going out. Packets travel from PRE  to
> POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING
> and PREROUTING are part of the nat module. Default rules in iptables are
> INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps
> a little the iptables options.
>
> Ciao
> --
> Remo Mattei
>
>
> On November 21, 2013 at 20:33:39, Liu Wenmao (marvelliu at gmail.com<//marvelliu at gmail.com>)
> wrote:
>
>  hi:
>
> I notice that there are two chains, neutron-l3-agent-OUTPUT and
> neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which
> are the same except for the first redirect rule:
>
> I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not
> the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient
> when foreign hosts connect to inner VM?
>
> Chain neutron-l3-agent-OUTPUT (1 references)
>     pkts      bytes target     prot opt in     out
> source               destination
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.133       to:100.0.0.14
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.134       to:100.0.0.11
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.135       to:100.0.0.12
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.136       to:100.0.0.15
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.137       to:100.0.0.16
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.141       to:100.0.0.13
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.138       to:100.0.0.19
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.139       to:100.0.0.18
>        0        0 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.140       to:100.0.0.17
>
> Chain neutron-l3-agent-PREROUTING (1 references)
>     pkts      bytes target     prot opt in     out
> source               destination
>        0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0
> 169.254.169.254      tcp dpt:80 redir ports 9697
>        6      312 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.133       to:100.0.0.14
>      362    18804 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.134       to:100.0.0.11
>        7      356 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.135       to:100.0.0.12
>        1       78 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.136       to:100.0.0.15
>       24     1235 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.137       to:100.0.0.16
>       14      812 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.141       to:100.0.0.13
>      665    35774 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.138       to:100.0.0.19
>      715    38158 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.139       to:100.0.0.18
>      788    42206 DNAT       all  --  *      *       0.0.0.0/0
> 192.168.19.140       to:100.0.0.17
>
> Thanks
>
> Liu Wenmao
>  !DSPAM:2,528edea311935482324020!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:2,528edea311935482324020!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131125/7e30dc45/attachment.html>


More information about the Openstack mailing list