[Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same
Remo Mattei
Remo at Mattei.org
Mon Nov 25 05:49:17 UTC 2013
Hi Liu,
you need that table because by default neutron creates a new table set (rules) where it does -j (which means jump) and that is set to check rules for the outgoing. Think about this .. You create INPUT, OUTPUT and FORWARD, which can be very limited so what people do is to create custom rules (jump) so when a package A comes in and says I need to come in, the INPUT, or FORWARD or OUTPUT says hold on I have a rule set based on your info that needs to be checked, so it will traverse those rules before they can finally go out. If they do not do which could be possible to have everything into one rule (OUTPUT) they you will be not able to know where the package hits, what broke if you troubleshoot etc etc.. Moreover, you are going to have a list of rules that can be huge and you will be crazy not to create special / custom sections (rules, tables) to assure your are protected. So I would suggest if you have hard time to understand how iptables works, to get a good book, section etc and read upon it. Iptables is a very hard, complicated topic but you can do many things with it. I have made several different network routing based on what I was looking for example:
if I needed to hit a server on 10.0.0/x network to go out to my vpn gateway
if I needed to hit a web server on 20.0.0x/ network to go out on my DSL network (gateway etc)
So hopefully this will provide some ideas on what iptables can do.
--
Remo Mattei
November 24, 2013 at 21:41:27, Liu Wenmao (marvelliu at gmail.com) ha scritto:
Hi Rem:
I know OUTPUT in the native iptables table is go out, but since l3agent is playing a role of router, all data from VM to extenal network is FORWARD/PREROUTE/POSTROUT, so why does l3agent add a neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat table, is this chain necessary? The pkg amounts of the neutron-l3-agent-OUTPUT rules are all zero.
p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the default table:
root at controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -nvx
Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)
pkts bytes target prot opt in out source destination
2632310 633146916 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764 bytes)
pkts bytes target prot opt in out source destination
37757658 33160595764 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
37757658 33160595764 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)
pkts bytes target prot opt in out source destination
22916 1850560 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
22916 1850560 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
37780574 33162446324 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
root at controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
DNAT all -- anywhere u20 to:100.0.0.14
DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11
DNAT all -- anywhere u22 to:100.0.0.12
DNAT all -- anywhere u23 to:100.0.0.15
DNAT all -- anywhere u24 to:100.0.0.16
DNAT all -- anywhere u1 to:100.0.0.13
DNAT all -- anywhere 192.168.19.138 to:100.0.0.19
DNAT all -- anywhere 192.168.19.139 to:100.0.0.18
DNAT all -- anywhere 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
DNAT all -- anywhere u20 to:100.0.0.14
DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11
DNAT all -- anywhere u22 to:100.0.0.12
DNAT all -- anywhere u23 to:100.0.0.15
DNAT all -- anywhere u24 to:100.0.0.16
DNAT all -- anywhere u1 to:100.0.0.13
DNAT all -- anywhere 192.168.19.138 to:100.0.0.19
DNAT all -- anywhere 192.168.19.139 to:100.0.0.18
DNAT all -- anywhere 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 100.0.0.14 anywhere to:192.168.19.133
SNAT all -- 100.0.0.11 anywhere to:192.168.19.134
SNAT all -- 100.0.0.12 anywhere to:192.168.19.135
SNAT all -- 100.0.0.15 anywhere to:192.168.19.136
SNAT all -- 100.0.0.16 anywhere to:192.168.19.137
SNAT all -- 100.0.0.13 anywhere to:192.168.19.141
SNAT all -- 100.0.0.19 anywhere to:192.168.19.138
SNAT all -- 100.0.0.18 anywhere to:192.168.19.139
SNAT all -- 100.0.0.17 anywhere to:192.168.19.140
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- 200.0.0.0/24 anywhere to:192.168.19.130
SNAT all -- 100.0.0.0/24 anywhere to:192.168.19.130
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
刘文懋
研究员
绿盟科技 战略研究院
地址:北京市海淀区北洼路4号益泰大厦四层
邮编:100089
电话:(010)68438880-8231
传真:(010)68437328
手机:13718994804
邮箱:liuwenmao at nsfocus.com
网站:http://www.nsfocus.com
On Fri, Nov 22, 2013 at 1:37 PM, Remo Mattei <Remo at mattei.org> wrote:
the pre route has noting to do with going out. Packets travel from PRE to POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING and PREROUTING are part of the nat module. Default rules in iptables are INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps a little the iptables options.
Ciao
--
Remo Mattei
On November 21, 2013 at 20:33:39, Liu Wenmao (marvelliu at gmail.com) wrote:
hi:
I notice that there are two chains, neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which are the same except for the first redirect rule:
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient when foreign hosts connect to inner VM?
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
0 0 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
6 312 DNAT all -- * * 0.0.0.0/0 192.168.19.133 to:100.0.0.14
362 18804 DNAT all -- * * 0.0.0.0/0 192.168.19.134 to:100.0.0.11
7 356 DNAT all -- * * 0.0.0.0/0 192.168.19.135 to:100.0.0.12
1 78 DNAT all -- * * 0.0.0.0/0 192.168.19.136 to:100.0.0.15
24 1235 DNAT all -- * * 0.0.0.0/0 192.168.19.137 to:100.0.0.16
14 812 DNAT all -- * * 0.0.0.0/0 192.168.19.141 to:100.0.0.13
665 35774 DNAT all -- * * 0.0.0.0/0 192.168.19.138 to:100.0.0.19
715 38158 DNAT all -- * * 0.0.0.0/0 192.168.19.139 to:100.0.0.18
788 42206 DNAT all -- * * 0.0.0.0/0 192.168.19.140 to:100.0.0.17
Thanks
Liu Wenmao
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:2,528edea311935482324020!
!DSPAM:2,5292e3a6281941913620037!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131124/621ed3ad/attachment.html>
More information about the Openstack
mailing list