[Openstack] RDO: IPtables with DNAT

Kamen Tarlov tarlov.kamen at gmail.com
Thu Feb 4 16:23:52 UTC 2016


Sorry my previous reply wasn`t directed to the list. I`m reposting.

Hello Brian,

Thanks for the answer. Probably my knowledge around neutron is not
sufficient to add DNAT address from there. But let me answer your question.

When I get the machine up with private address I`m adding an ifconfig alias
for example bond0:1 with real Ip and then setting rules for different ports
to different VMs.

'/sbin/iptables -t nat -A neutron-openvswi-PREROUTING -d {{ external_ip }}
-p tcp --dport {{ external_ports }} -j DNAT --to-destination {{ vm.address
}}:{{ internal_ports }} '
(well before that I was setting in PRERPOUTING chain but it was the same)

So basically I would like to persist rule like this in
neutron-openvswi-PREROUTING chain.

I know the other way would be to set public ip as floating but thats too
much waste of resources for single node.

This is what I`m trying to achieve, if there is any better way of doing
through neturon API would be nice to know it.

If I understand correctly if the neutron agents are down and I apply the
iptables command the rules will be preserved after start?

Thanks,

Best regards,
Kamen

On Thu, Feb 4, 2016 at 6:05 PM, Remo Mattei <Remo at italy1.com> wrote:

> I agree with Brian
>
> Let neutron do all the work and now those rules are in the namespace.
> Therefore I would suggest to try and let all the services do their job and
> see it that works
>
> Inviato da iPhone
>
> > Il giorno 04 feb 2016, alle ore 06:56, Brian Haley <brian.haley at hpe.com>
> ha scritto:
> >
> >> On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
> >> Hello,
> >>
> >> We have a single node installation with RDO Kilo release. Network
> configuration
> >> consist of 2 private networks and one of them is floating. Networks are
> routed
> >> just inside the node.  The problem I`m facing is when I try to
> configure the
> >> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to
> VM works
> >> fine until neutron reorders the rules on top:
> >>
> >> Chain PREROUTING (policy ACCEPT)
> >> target     prot opt source               destination
> >> neutron-openvswi-PREROUTING  all  --  anywhere             anywhere
> >> nova-api-PREROUTING  all  --  anywhere             anywhere
> >>
> >> Is there any way I can prevent this or set them with lower priority?
> >
> > I guess my first question is, why are you manually adding DNAT rules?
> Why aren't you letting Neutron manage iptables for the VMs?  You would need
> to give more information on the exact rule you are trying to add to help
> make things clearer.
> >
> > As a rule of thumb, it's a bad idea to try and add/remove iptables rules
> while Neutron agents are running, you will eventually find yourself in a
> race condition where rules are missing and things don't work.  If you need
> to add a rule I would recommend doing it before the agents are started,
> that way it will get left alone.
> >
> > -Brian
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> > !DSPAM:1,56b3696676807417054422!
> >
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 
Поздрави/Best Regards,

Kamen Tarlov
Sr. Engineer
phone +359 894224491
Bulgaria, Sofia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160204/a11e4f48/attachment.html>


More information about the Openstack mailing list