[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same

Remo Mattei Remo at Mattei.org
Mon Nov 25 05:49:17 UTC 2013


Hi Liu,

you need that table because by default neutron creates a new table set (rules) where it does -j (which means jump) and that is set to check rules for the outgoing. Think about this .. You create INPUT, OUTPUT and FORWARD, which can be very limited so what people do is to create custom rules (jump) so when a package A comes in and says I need to come in, the INPUT, or FORWARD or OUTPUT says hold on I have a rule set based on your info that needs to be checked, so it will traverse those rules before they can finally go out. If they do not do which could be possible to have everything into one rule (OUTPUT) they you will be not able to know where the package hits, what broke if you troubleshoot etc etc.. Moreover, you are going to have a list of rules that can be huge and you will be crazy not to create special / custom sections (rules, tables) to assure your are protected. So I would suggest if you have hard time to understand how iptables works, to get a good book, section etc and read upon it. Iptables is a very hard, complicated topic but you can do many things with it. I have made several different network routing based on what I was looking for example:
if I needed to hit a server on 10.0.0/x network to go out to my vpn gateway
if I needed to hit a web server on 20.0.0x/ network to go out on my DSL network (gateway etc)

So hopefully this will provide some ideas on what iptables can do. 
-- 
Remo Mattei


November 24, 2013 at 21:41:27, Liu Wenmao (marvelliu at gmail.com) ha scritto:

Hi Rem:

I know OUTPUT in the native iptables table is go out, but since l3agent is playing a role of router, all data from VM to extenal network is FORWARD/PREROUTE/POSTROUT, so why does l3agent add a neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat table, is this chain necessary? The pkg amounts of the neutron-l3-agent-OUTPUT rules are all zero.

p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the default table:

root at controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L  -nvx
Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
 2632310 633146916 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
37757658 33160595764 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
37757658 33160595764 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)
    pkts      bytes target     prot opt in     out     source               destination        
   22916  1850560 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
   22916  1850560 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain neutron-filter-top (2 references)
    pkts      bytes target     prot opt in     out     source               destination        
37780574 33162446324 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain neutron-l3-agent-FORWARD (1 references)
    pkts      bytes target     prot opt in     out     source               destination        

Chain neutron-l3-agent-INPUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination        

Chain neutron-l3-agent-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
root at controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-PREROUTING  all  --  anywhere             anywhere           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere           

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
neutron-l3-agent-POSTROUTING  all  --  anywhere             anywhere           
neutron-postrouting-bottom  all  --  anywhere             anywhere           

Chain neutron-l3-agent-OUTPUT (1 references)
target     prot opt source               destination        
DNAT       all  --  anywhere             u20                  to:100.0.0.14
DNAT       all  --  anywhere             git.expr.nsfocus     to:100.0.0.11
DNAT       all  --  anywhere             u22                  to:100.0.0.12
DNAT       all  --  anywhere             u23                  to:100.0.0.15
DNAT       all  --  anywhere             u24                  to:100.0.0.16
DNAT       all  --  anywhere             u1                   to:100.0.0.13
DNAT       all  --  anywhere             192.168.19.138       to:100.0.0.19
DNAT       all  --  anywhere             192.168.19.139       to:100.0.0.18
DNAT       all  --  anywhere             192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-POSTROUTING (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             169.254.169.254      tcp dpt:http redir ports 9697
DNAT       all  --  anywhere             u20                  to:100.0.0.14
DNAT       all  --  anywhere             git.expr.nsfocus     to:100.0.0.11
DNAT       all  --  anywhere             u22                  to:100.0.0.12
DNAT       all  --  anywhere             u23                  to:100.0.0.15
DNAT       all  --  anywhere             u24                  to:100.0.0.16
DNAT       all  --  anywhere             u1                   to:100.0.0.13
DNAT       all  --  anywhere             192.168.19.138       to:100.0.0.19
DNAT       all  --  anywhere             192.168.19.139       to:100.0.0.18
DNAT       all  --  anywhere             192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-float-snat (1 references)
target     prot opt source               destination        
SNAT       all  --  100.0.0.14           anywhere             to:192.168.19.133
SNAT       all  --  100.0.0.11           anywhere             to:192.168.19.134
SNAT       all  --  100.0.0.12           anywhere             to:192.168.19.135
SNAT       all  --  100.0.0.15           anywhere             to:192.168.19.136
SNAT       all  --  100.0.0.16           anywhere             to:192.168.19.137
SNAT       all  --  100.0.0.13           anywhere             to:192.168.19.141
SNAT       all  --  100.0.0.19           anywhere             to:192.168.19.138
SNAT       all  --  100.0.0.18           anywhere             to:192.168.19.139
SNAT       all  --  100.0.0.17           anywhere             to:192.168.19.140

Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination        
neutron-l3-agent-float-snat  all  --  anywhere             anywhere           
SNAT       all  --  200.0.0.0/24         anywhere             to:192.168.19.130
SNAT       all  --  100.0.0.0/24         anywhere             to:192.168.19.130

Chain neutron-postrouting-bottom (1 references)
target     prot opt source               destination        
neutron-l3-agent-snat  all  --  anywhere             anywhere  

刘文懋
研究员
绿盟科技 战略研究院
地址:北京市海淀区北洼路4号益泰大厦四层
邮编:100089
电话:(010)68438880-8231
传真:(010)68437328
手机:13718994804
邮箱:liuwenmao at nsfocus.com
网站:http://www.nsfocus.com


On Fri, Nov 22, 2013 at 1:37 PM, Remo Mattei <Remo at mattei.org> wrote:
the pre route has noting to do with going out. Packets travel from PRE  to POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING and PREROUTING are part of the nat module. Default rules in iptables are INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps a little the iptables options. 

Ciao 
-- 
Remo Mattei


On November 21, 2013 at 20:33:39, Liu Wenmao (marvelliu at gmail.com) wrote:

hi:

I notice that there are two chains, neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which are the same except for the first redirect rule:

I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient when foreign hosts connect to inner VM?

Chain neutron-l3-agent-OUTPUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.133       to:100.0.0.14
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.134       to:100.0.0.11
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.135       to:100.0.0.12
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.136       to:100.0.0.15
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.137       to:100.0.0.16
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.141       to:100.0.0.13
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.138       to:100.0.0.19
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.139       to:100.0.0.18
       0        0 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-PREROUTING (1 references)
    pkts      bytes target     prot opt in     out     source               destination        
       0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697
       6      312 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.133       to:100.0.0.14
     362    18804 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.134       to:100.0.0.11
       7      356 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.135       to:100.0.0.12
       1       78 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.136       to:100.0.0.15
      24     1235 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.137       to:100.0.0.16
      14      812 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.141       to:100.0.0.13
     665    35774 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.138       to:100.0.0.19
     715    38158 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.139       to:100.0.0.18
     788    42206 DNAT       all  --  *      *       0.0.0.0/0            192.168.19.140       to:100.0.0.17

Thanks

Liu Wenmao
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


!DSPAM:2,528edea311935482324020!

!DSPAM:2,5292e3a6281941913620037!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131124/621ed3ad/attachment.html>


More information about the Openstack mailing list