yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1079926] Re: iptables NAT rules set by openstack-l3-agent are incomplete for AiO setups

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1079926@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Apr 2013 04:17:36 -0000
Reply-to: Bug 1079926 <1079926@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for quantum because there has been no activity for 60 days.]

** Changed in: quantum
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1079926

Title:
  iptables NAT rules set by openstack-l3-agent are incomplete for AiO
  setups

Status in OpenStack Quantum (virtual network service):
  Expired

Bug description:
  In order to allow access to the metadata service (169.254.169.254),
  quantum-l3-agent sets NAT rules for the affected router namespace:

  -t nat -A quantum-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m
  tcp --dport 80 -j DNAT --to-destination 192.168.122.111:8775

  For setups where all services are running on the same host, this is
  insufficient. The rule above is simply skipped for packages that were
  generated by local processes. To make it work, the following rule is
  required:

  -t nat -A quantum-l3-agent-PREROUTING -s 0.0.0.0/0 -p tcp -m tcp
  --dport 80 -j REDIRECT --to-ports 8775

  With that rule in place, VMs can reach the metadata service nicely.

To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1079926/+subscriptions