Hi, all. I have some questions about l3 address scope in neutron.I hope that someone could give me some answers.
I set up a devstack environment and it uses the feature of l3 address scope by following the document [1]. After doing those steps, I can find some iptables rules in namespace, showing like this: root@devstack:~# iptables-save |grep neutron-l3-agent-scope :neutron-l3-agent-scope - [0:0] -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope -A neutron-l3-agent-scope -i qr-6d393225-2e -j MARK --set-xmark 0x4010000/0xffff0000 -A neutron-l3-agent-scope -i qr-d257abb8-e1 -j MARK --set-xmark 0x4000000/0xffff0000 -A neutron-l3-agent-scope -i qg-f64c7892-1d -j MARK --set-xmark 0x4010000/0xffff0000 :neutron-l3-agent-scope - [0:0] -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope -A neutron-l3-agent-scope -o qr-6d393225-2e -m mark ! --mark 0x4010000/0xffff0000 -j DROP -A neutron-l3-agent-scope -o qr-d257abb8-e1 -m mark ! --mark 0x4000000/0xffff0000 -j DROP What does these iptables rules used for ? In my opinion, by reading these rules, I can get some informations : any input traffic ( qr and qg devices ) will be marked and we only accept these marked traffic, isn't it? What the purpose of the l3 address scope? What can we benefit from l3 address scope? Thanks Zhi Chang [1]: https://docs.openstack.org/draft/networking-guide/config-address-scopes.html
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev