[Openstack] Managing iptables with OpenStack Folsom (using Quantum)

Razique Mahroua razique.mahroua at gmail.com
Wed Sep 4 07:47:28 UTC 2013

That's right
Not redone everytime but updated and checked non-stop
When you restart the services then yes, everything is flushed and redone, so if you manually enter some iptables rules, they won't persist afterwards :)

Razique Mahroua - Nuage & Co
razique.mahroua at gmail.com
Tel : +33 9 72 37 94 15

Le 3 sept. 2013 à 19:31, Craig E. Ward <cward at isi.edu> a écrit :

> Razique,
> Thanks for the response.
> If I understand you correctly, you're saying that the iptables rules are redone by nova-compute or the quantum agents every time a network is added or removed and because of that, static rules will be lost. Is that correct?
> The installation I'm working with provides pre-configured networks for instances to use. If the available networks is stable, should not the static rules survive?
> Craig
> On 08/29/2013 03:36 PM, Razique Mahroua wrote:
>> That means you shouldn't use iptables for your custom rules since OpenStack
>> manages iptables and everytime the network is updated, iptables is impacted. If
>> you restart nova-netork for instance, then all the iptables rules are flushed
>> and recreated according to your network topology.
>> The iptables service doesn't need to be turned off (is that even possible?),
>> just make sure not to create routing rules manually that might conflict with the
>> rules OpenStack sets :)
>> *Razique Mahroua** - **Nuage & Co*
>> razique.mahroua at gmail.com <mailto:razique.mahroua at gmail.com>
>> Tel : +33 9 72 37 94 15
>> Le 28 août 2013 à 19:08, Craig E. Ward <cward at isi.edu <mailto:cward at isi.edu>> a
>> écrit :
>>> I have an OpenStack Folsom, with Quantum networking, installation that I'm
>>> having trouble getting additional rules into the iptables on nova-compute
>>> nodes. The online manual
>>> (http://docs.openstack.org/trunk/openstack-ops/content/iptables.html) states
>>> that "You must use OpenStack to manage iptables." What it doesn't include is
>>> any indication of how that is done. How can iptables be managed with OpenStack?
>>> When I add rules to the file /etc/sysconfig/iptables, sometimes the
>>> nova-compute service fails to work properly. A new instance on the node may
>>> not get an IP address or the vnc service in Horizon does not respond. The
>>> instance is listed in the database with an assigned IP, but the address is not
>>> reachable.
>>> Does the iptables service need to be "off" in the context of chkconfig? That
>>> is, don't let it start through the rc sequence, but let nova-compute start it
>>> and populate the rules?
>>> If iptables is started in the rc sequence, then are there some rules that
>>> should not be in /etc/sysconfig/iptables?
>>> If the rc sequence is not used, how do ports unrelated to OpenStack services
>>> get enabled?
>>> Does the default response for a packet sent to non-OpenStack related port drop
>>> the packet or let it pass?
>>> Thanks,
>>> Craig
>>> --
>>> Craig E. Ward
>>> Information Sciences Institute
>>> University of Southern California
>>> cward at ISI.EDU <mailto:cward at ISI.EDU>
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> -- 
> Craig E. Ward
> Information Sciences Institute
> University of Southern California
> cward at ISI.EDU

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130904/a1698a15/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NUAGECO-LOGO-Fblan_petit.jpg
Type: image/jpeg
Size: 10122 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130904/a1698a15/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 535 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130904/a1698a15/attachment.sig>

More information about the Openstack mailing list