Re: [Openstack] why neutron-l3-agent-OUTPUT and neutron-l3-agent-PREROUTING are the same

Thu, 21 Nov 2013 21:45:48 -0800 

the pre route has noting to do with going out. Packets travel from PRE  to 
POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING and 
PREROUTING are part of the nat module. Default rules in iptables are 
INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps a 
little the iptables options. 

Ciao 
-- 
Remo Mattei


On November 21, 2013 at 20:33:39, Liu Wenmao (marvel...@gmail.com) wrote:

hi:

I notice that there are two chains, neutron-l3-agent-OUTPUT and 
neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which are 
the same except for the first redirect rule:

I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not the 
rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient when 
foreign hosts connect to inner VM?

Chain neutron-l3-agent-OUTPUT (1 references)
    pkts      bytes target     prot opt in     out     source               
destination        
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.133       to:100.0.0.14
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.134       to:100.0.0.11
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.135       to:100.0.0.12
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.136       to:100.0.0.15
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.137       to:100.0.0.16
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.141       to:100.0.0.13
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.138       to:100.0.0.19
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.139       to:100.0.0.18
       0        0 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.140       to:100.0.0.17

Chain neutron-l3-agent-PREROUTING (1 references)
    pkts      bytes target     prot opt in     out     source               
destination        
       0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0            
169.254.169.254      tcp dpt:80 redir ports 9697
       6      312 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.133       to:100.0.0.14
     362    18804 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.134       to:100.0.0.11
       7      356 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.135       to:100.0.0.12
       1       78 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.136       to:100.0.0.15
      24     1235 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.137       to:100.0.0.16
      14      812 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.141       to:100.0.0.13
     665    35774 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.138       to:100.0.0.19
     715    38158 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.139       to:100.0.0.18
     788    42206 DNAT       all  --  *      *       0.0.0.0/0            
192.168.19.140       to:100.0.0.17

Thanks

Liu Wenmao
!DSPAM:2,528edea311935482324020! 
_______________________________________________  
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack  
Post to : openstack@lists.openstack.org  
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack  


!DSPAM:2,528edea311935482324020!  

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to