openstack team mailing list archive

[Narayan Desai <narayan.desai@xxxxxxxxx>]

On Sat, Jul 21, 2012 at 6:47 AM, Xu (Simon) Chen <xchenum@xxxxxxxxx> wrote:
> Narayan,
>
> If you do  net.bridge.bridge-nf-call-iptables = 0 on the network controller,
> does floating IP still work? For each tenant/network, a subnet is created,
> and the nova-network has a .1 gateway configured on the bridge with the vlan
> interface plugged in.
>
> The packets from VMs are actually sent to the bridge for NATting. But if you
> doesn't allow the bridges to call iptables, it might break public access all
> together. Don't know, maybe I'm not understanding the sysctl flag
> correctly... Maybe it only applies to the packet transiting the bridge, not
> impacting the ones destined to the nova-network?

Do you mean floating (private) or fixed (public) IPs? I suspect that
you mean fixed. Fixed IPs worked regardless of this setting.

The crux of the issue was that packets transiting the bridge (ie being
moved from vlan200 to the virtual br200) were hitting filtering rules.
It looks to me like the sysctls only apply to traffic moving across
the bridge (ie exactly between vlan200 and br200), but don't bypass
iptables entirely. I don't think that should effect NAT/SNAT in any
case.
 -nld