hi:
I notice that there are two chains, neutron-l3-agent-OUTPUT and
neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which
are the same except for the first redirect rule:
I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not
the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient
when foreign hosts connect to inner VM?
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.133 to:100.0.0.14
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.134 to:100.0.0.11
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.135 to:100.0.0.12
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.136 to:100.0.0.15
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.137 to:100.0.0.16
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.141 to:100.0.0.13
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.138 to:100.0.0.19
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.139 to:100.0.0.18
0 0 DNAT all -- * * 0.0.0.0/0
192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-PREROUTING (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
169.254.169.254 tcp dpt:80 redir ports 9697
6 312 DNAT all -- * * 0.0.0.0/0
192.168.19.133 to:100.0.0.14
362 18804 DNAT all -- * * 0.0.0.0/0
192.168.19.134 to:100.0.0.11
7 356 DNAT all -- * * 0.0.0.0/0
192.168.19.135 to:100.0.0.12
1 78 DNAT all -- * * 0.0.0.0/0
192.168.19.136 to:100.0.0.15
24 1235 DNAT all -- * * 0.0.0.0/0
192.168.19.137 to:100.0.0.16
14 812 DNAT all -- * * 0.0.0.0/0
192.168.19.141 to:100.0.0.13
665 35774 DNAT all -- * * 0.0.0.0/0
192.168.19.138 to:100.0.0.19
715 38158 DNAT all -- * * 0.0.0.0/0
192.168.19.139 to:100.0.0.18
788 42206 DNAT all -- * * 0.0.0.0/0
192.168.19.140 to:100.0.0.17
Thanks
Liu Wenmao
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
