openstack team mailing list archive

Thread
Date

Re: SNAT question

To: Boris-Michel Deschenes <boris-michel.deschenes@xxxxxxxxxxx>
From: Xiaolin Zhang <zhangxiaolins@xxxxxxxxx>
Date: Thu, 19 Jul 2012 00:05:10 +0800
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BD28A01A05CF054A94544D08364758FF0971A331F5@MDC-MAIL-CMS01.ubisoft.org>

I have encountered exactly the same situation with our deployment with all
outbound packets from vm tagged with server's ip as their SNAT.

After doing some investigation, I found nova-network init itself, this
filter rule will be populated;
and I wounder maybe this is a aimed design feature - to isolate all
fixed-ips and make them only visible within a subnet.

Could any expert help to clarify?

*Best Regards,
Xiaolin Zhang*



On Wed, Jul 18, 2012 at 11:25 PM, Boris-Michel Deschenes <
boris-michel.deschenes@xxxxxxxxxxx> wrote:

> Hi guys,****
>
> ** **
>
> I have a question regarding NAT in openstack****
>
> ** **
>
> I have an openstack cloud (FlatDHCP, multi_host=false) with one
> nova-network node doing the nating.****
>
> ** **
>
> I have noticed that when I ping an external machine from within a VM, on
> the receiving end I see the IP of the VM (so the outgoing SNAT works
> properly).****
>
> I have also noticed that when I ping a VM inside the cloud from a machine
> outside, the VM sees the external IP of the nova-network node as the source
> of the ping and not the real IP of the “pinger”…  (this is the problem for
> me).****
>
> ** **
>
> I looked at the nova-network machine’s iptables and I see this:****
>
> ** **
>
> -A nova-network-snat -s 10.0.0.0/8 -j SNAT --to-source 10.129.40.12****
>
> ** **
>
> So it’s basically setting the nova-network node as the source IP for all
> incoming traffic, in my situation, this prevents an application running
> inside the cloud to properly identifies the server located outside,
> currently, the only peer it sees is the nova-network node and not the IP of
> the server (located outside the cloud) so my application tries to connect
> to nova-network instead of the server that initiated the connection.****
>
> ** **
>
> Would it be possible to have SNAT work in a way where, when connecting to
> a VM from outside the cloud, the VM sees the source IP as the real source
> IP and not the nova-network controller’s ip ?****
>
> ** **
>
> Thank you very much****
>
> ** **
>
> Boris****
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References

SNAT question
From: Boris-Michel Deschenes, 2012-07-18