[Openstack] [icehouse][neutron]-Iptables

Brian Haley brian.haley at hp.com
Thu Nov 20 16:11:15 UTC 2014


On 11/19/2014 03:31 AM, Chinasubbareddy M wrote:
> Hi all,
> 
> I would like to know where the iptables at  compute side will get saved, I mean
> they will get saved in any configuration file or not.

Neutron doesn't save iptables info in any file, it builds a chain/rule set
internally, then applies it when triggered.

> When I change an iptable and restart the ovs agent , changes are going away and
> original iptables coming up.

You should typically not add or modify iptables rules by hand, but instead use
the security group API to add them.  If you're trying to add something to the
chain for an instance you will always be fighting with the iptables_manager and
it will always remove whatever you have added.

If you're trying to add a chain/rule for something not managed by Neutron, for
example an INPUT rule to drop packets to a TCP port, I would only suggest doing
that when the agent is not running since you'll just race with it and things
will get out of sync.

> I would like to understand deep into iPtables in opernstack ,please suggest me
> any working guides or blogs.

Look for the files iptables_manager.py and iptables_firewall.py - that's where
the manager and most of the security group code lives.

-Brian




More information about the Openstack mailing list