Hi all, we've been doing some tests with openstack kilo and found out a problem: iptables routes are not being injected to the router namespace.
Scenario: - a private network NOT connected to the outside world. - a router with only one interface connected to the private network. - a vm instance connected to the private network as well. >From inside the instance, we try to get some information from the metadata service with curl: $ curl http://169.254.169.254 curl: (7) couldn't connect to host With the same set up in juno, there was no such problem and metadata information is shown. The request is not filtered at the instance and hits the router namespace (checked with tcpdump). However, when looking from the controller at the iptables rules at the router, they appear empty. stack@devstack: ~$ sudo ip netns exec qrouter-d4ec737a-c5fb-4f5b-8bd0-1b5353bbade3 iptables-save # Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015 *raw :PREROUTING ACCEPT [12:1334] :OUTPUT ACCEPT [10:868] COMMIT # Completed on Tue Jan 20 14:05:48 2015 # Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015 *nat :PREROUTING ACCEPT [10:913] :INPUT ACCEPT [3:493] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Tue Jan 20 14:05:48 2015 # Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015 *mangle :PREROUTING ACCEPT [12:1334] :INPUT ACCEPT [5:914] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10:868] :POSTROUTING ACCEPT [10:868] COMMIT # Completed on Tue Jan 20 14:05:48 2015 # Generated by iptables-save v1.4.21 on Tue Jan 20 14:05:48 2015 *filter :INPUT ACCEPT [5:914] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10:868] COMMIT Is this some problem related to the refactoring of the l3 agent? Any pointer to what might be the problem here? I can provide more information on the subject if necessary to reproduce this. Any input would be appreciated. Cheers, Xavi __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
