Public bug reported: Hi Everyone,
We have made iptable entry to qrouter for getting access outside public instances but we found qrouter is loosing iptable entry after some time because of that instances are loosing connection between outside instance. we are using DevStack stable/liberty After adding iptable Rule ==================== $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 iptables -I neutron-l3-agent-snat -t nat -d 10.30.0.0/24 -j RETURN $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-PREROUTING all -- anywhere anywhere 2 DNAT tcp -- ubuntu492e9c.ubuntusjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000 3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-OUTPUT all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere 2 neutron-postrouting-bottom all -- anywhere anywhere Chain neutron-l3-agent-OUTPUT (1 references) num target prot opt source destination 1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-POSTROUTING (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere ! ctstate DNAT Chain neutron-l3-agent-PREROUTING (1 references) num target prot opt source destination 1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697 2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-float-snat (1 references) num target prot opt source destination 1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129 2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130 3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131 Chain neutron-l3-agent-snat (1 references) num target prot opt source destination 1 RETURN all -- anywhere 10.30.0.0/24 2 neutron-l3-agent-float-snat all -- anywhere anywhere 3 SNAT all -- anywhere anywhere to:172.24.4.3 4 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3 Chain neutron-postrouting-bottom (1 references) num target prot opt source destination 1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */ After some time ============= $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-PREROUTING all -- anywhere anywhere 2 DNAT tcp -- ubuntu492e9c.ubuntussjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000 3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-OUTPUT all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere 2 neutron-postrouting-bottom all -- anywhere anywhere Chain neutron-l3-agent-OUTPUT (1 references) num target prot opt source destination 1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-POSTROUTING (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere ! ctstate DNAT Chain neutron-l3-agent-PREROUTING (1 references) num target prot opt source destination 1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697 2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-float-snat (1 references) num target prot opt source destination 1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129 2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130 3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131 Chain neutron-l3-agent-snat (1 references) num target prot opt source destination 1 neutron-l3-agent-float-snat all -- anywhere anywhere 2 SNAT all -- anywhere anywhere to:172.24.4.3 3 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3 Chain neutron-postrouting-bottom (1 references) num target prot opt source destination 1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */ ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1514769 Title: qrouter loosing iptable entry after certain frequency. Status in neutron: New Bug description: Hi Everyone, We have made iptable entry to qrouter for getting access outside public instances but we found qrouter is loosing iptable entry after some time because of that instances are loosing connection between outside instance. we are using DevStack stable/liberty After adding iptable Rule ==================== $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 iptables -I neutron-l3-agent-snat -t nat -d 10.30.0.0/24 -j RETURN $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-PREROUTING all -- anywhere anywhere 2 DNAT tcp -- ubuntu492e9c.ubuntusjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000 3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-OUTPUT all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere 2 neutron-postrouting-bottom all -- anywhere anywhere Chain neutron-l3-agent-OUTPUT (1 references) num target prot opt source destination 1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-POSTROUTING (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere ! ctstate DNAT Chain neutron-l3-agent-PREROUTING (1 references) num target prot opt source destination 1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697 2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-float-snat (1 references) num target prot opt source destination 1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129 2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130 3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131 Chain neutron-l3-agent-snat (1 references) num target prot opt source destination 1 RETURN all -- anywhere 10.30.0.0/24 2 neutron-l3-agent-float-snat all -- anywhere anywhere 3 SNAT all -- anywhere anywhere to:172.24.4.3 4 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3 Chain neutron-postrouting-bottom (1 references) num target prot opt source destination 1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */ After some time ============= $ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-PREROUTING all -- anywhere anywhere 2 DNAT tcp -- ubuntu492e9c.ubuntussjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000 3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-OUTPUT all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere 2 neutron-postrouting-bottom all -- anywhere anywhere Chain neutron-l3-agent-OUTPUT (1 references) num target prot opt source destination 1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-POSTROUTING (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere ! ctstate DNAT Chain neutron-l3-agent-PREROUTING (1 references) num target prot opt source destination 1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697 2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125 3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126 4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127 Chain neutron-l3-agent-float-snat (1 references) num target prot opt source destination 1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129 2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130 3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131 Chain neutron-l3-agent-snat (1 references) num target prot opt source destination 1 neutron-l3-agent-float-snat all -- anywhere anywhere 2 SNAT all -- anywhere anywhere to:172.24.4.3 3 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3 Chain neutron-postrouting-bottom (1 references) num target prot opt source destination 1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1514769/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp