Hi Rem:
I know OUTPUT in the native iptables table is go out, but since l3agent is
playing a role of router, all data from VM to extenal network is
FORWARD/PREROUTE/POSTROUT, so why does l3agent add a
neutron-l3-agent-OUTPUT chain in OUTPUT chain in nat table, is this chain
necessary? The pkg amounts of the neutron-l3-agent-OUTPUT rules are all
zero.
p.s. the neutron-l3-agent-OUTPUT chain is in the nat table, not the default
table:
root@controller:~# ip netns exec qrouter-9c63d74c-19d0-4a08-
93bd-4738dff02505 iptables -L -nvx
Chain INPUT (policy ACCEPT 2632310 packets, 633146916 bytes)
pkts bytes target prot opt in out source
destination
2632310 633146916 neutron-l3-agent-INPUT all -- * *
0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 37757658 packets, 33160595764 bytes)
pkts bytes target prot opt in out source
destination
37757658 33160595764 neutron-filter-top all -- * *
0.0.0.0/0
0.0.0.0/0
37757658 33160595764 neutron-l3-agent-FORWARD all -- * *
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 22916 packets, 1850560 bytes)
pkts bytes target prot opt in out source
destination
22916 1850560 neutron-filter-top all -- * *
0.0.0.0/0
0.0.0.0/0
22916 1850560 neutron-l3-agent-OUTPUT all -- * *
0.0.0.0/0
0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source
destination
37780574 33162446324 neutron-l3-agent-local all -- * *
0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source
destination
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
root@controller:~# ip netns exec
qrouter-9c63d74c-19d0-4a08-93bd-4738dff02505 iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere
anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere
anywhere
neutron-postrouting-bottom all -- anywhere
anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
DNAT all -- anywhere u20 to:100.0.0.14
DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11
DNAT all -- anywhere u22 to:100.0.0.12
DNAT all -- anywhere u23 to:100.0.0.15
DNAT all -- anywhere u24 to:100.0.0.16
DNAT all -- anywhere u1 to:100.0.0.13
DNAT all -- anywhere 192.168.19.138 to:100.0.0.19
DNAT all -- anywhere 192.168.19.139 to:100.0.0.18
DNAT all -- anywhere 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http
redir ports 9697
DNAT all -- anywhere u20 to:100.0.0.14
DNAT all -- anywhere git.expr.nsfocus to:100.0.0.11
DNAT all -- anywhere u22 to:100.0.0.12
DNAT all -- anywhere u23 to:100.0.0.15
DNAT all -- anywhere u24 to:100.0.0.16
DNAT all -- anywhere u1 to:100.0.0.13
DNAT all -- anywhere 192.168.19.138 to:100.0.0.19
DNAT all -- anywhere 192.168.19.139 to:100.0.0.18
DNAT all -- anywhere 192.168.19.140 to:100.0.0.17
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 100.0.0.14 anywhere
to:192.168.19.133
SNAT all -- 100.0.0.11 anywhere
to:192.168.19.134
SNAT all -- 100.0.0.12 anywhere
to:192.168.19.135
SNAT all -- 100.0.0.15 anywhere
to:192.168.19.136
SNAT all -- 100.0.0.16 anywhere
to:192.168.19.137
SNAT all -- 100.0.0.13 anywhere
to:192.168.19.141
SNAT all -- 100.0.0.19 anywhere
to:192.168.19.138
SNAT all -- 100.0.0.18 anywhere
to:192.168.19.139
SNAT all -- 100.0.0.17 anywhere
to:192.168.19.140
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere
anywhere
SNAT all -- 200.0.0.0/24 anywhere
to:192.168.19.130
SNAT all -- 100.0.0.0/24 anywhere
to:192.168.19.130
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere
刘文懋
研究员
绿盟科技 战略研究院
地址:北京市海淀区北洼路4号益泰大厦四层
邮编:100089
电话:(010)68438880-8231
传真:(010)68437328
手机:13718994804
邮箱:liuwen...@nsfocus.com
网站:http://www.nsfocus.com
On Fri, Nov 22, 2013 at 1:37 PM, Remo Mattei <r...@mattei.org> wrote:
> the pre route has noting to do with going out. Packets travel from PRE to
> POST. So the OUTPUT are rules allowing the package to go out. POSTROUTING
> and PREROUTING are part of the nat module. Default rules in iptables are
> INPUT,FORWARD and OUTPUT. the nat (PREROUTING, POSTROUTING) hope this helps
> a little the iptables options.
>
> Ciao
> --
> Remo Mattei
>
>
> On November 21, 2013 at 20:33:39, Liu Wenmao
> (marvel...@gmail.com<//marvel...@gmail.com>)
> wrote:
>
> hi:
>
> I notice that there are two chains, neutron-l3-agent-OUTPUT and
> neutron-l3-agent-PREROUTING, in neutron namespace iptables, both of which
> are the same except for the first redirect rule:
>
> I wonder why we need DNATs in the neutron-l3-agent-OUTPUT chain, are not
> the rules in neutron-l3-agent-PREROUTING(called by PREROUTING ) sufficient
> when foreign hosts connect to inner VM?
>
> Chain neutron-l3-agent-OUTPUT (1 references)
> pkts bytes target prot opt in out
> source destination
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.133 to:100.0.0.14
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.134 to:100.0.0.11
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.135 to:100.0.0.12
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.136 to:100.0.0.15
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.137 to:100.0.0.16
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.141 to:100.0.0.13
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.138 to:100.0.0.19
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.139 to:100.0.0.18
> 0 0 DNAT all -- * * 0.0.0.0/0
> 192.168.19.140 to:100.0.0.17
>
> Chain neutron-l3-agent-PREROUTING (1 references)
> pkts bytes target prot opt in out
> source destination
> 0 0 REDIRECT tcp -- * * 0.0.0.0/0
> 169.254.169.254 tcp dpt:80 redir ports 9697
> 6 312 DNAT all -- * * 0.0.0.0/0
> 192.168.19.133 to:100.0.0.14
> 362 18804 DNAT all -- * * 0.0.0.0/0
> 192.168.19.134 to:100.0.0.11
> 7 356 DNAT all -- * * 0.0.0.0/0
> 192.168.19.135 to:100.0.0.12
> 1 78 DNAT all -- * * 0.0.0.0/0
> 192.168.19.136 to:100.0.0.15
> 24 1235 DNAT all -- * * 0.0.0.0/0
> 192.168.19.137 to:100.0.0.16
> 14 812 DNAT all -- * * 0.0.0.0/0
> 192.168.19.141 to:100.0.0.13
> 665 35774 DNAT all -- * * 0.0.0.0/0
> 192.168.19.138 to:100.0.0.19
> 715 38158 DNAT all -- * * 0.0.0.0/0
> 192.168.19.139 to:100.0.0.18
> 788 42206 DNAT all -- * * 0.0.0.0/0
> 192.168.19.140 to:100.0.0.17
>
> Thanks
>
> Liu Wenmao
> !DSPAM:2,528edea311935482324020!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:2,528edea311935482324020!
>
>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
