yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40960
[Bug 1514769] Re: qrouter loosing iptable entry after certain frequency.
That looks like a support request rhather than a bug.
You should not add iptables rules directly to neutron namespaces, because they're managed by neutron.
There's no guarantee that that manually added rule will persist.
You should be doing this via security groups or floatingips using
neutorn API.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1514769
Title:
qrouter loosing iptable entry after certain frequency.
Status in neutron:
Invalid
Bug description:
Hi Everyone,
We have made iptable entry to qrouter for getting access outside
public instances but we found qrouter is loosing iptable entry after
some time because of that instances are loosing connection between
outside instance.
we are using DevStack stable/liberty
After adding iptable Rule
====================
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 iptables -I neutron-l3-agent-snat -t nat -d 10.30.0.0/24 -j RETURN
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-PREROUTING all -- anywhere anywhere
2 DNAT tcp -- ubuntu492e9c.ubuntusjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000
3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere
2 neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
num target prot opt source destination
1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125
2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126
3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127
Chain neutron-l3-agent-POSTROUTING (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
num target prot opt source destination
1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125
3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126
4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127
Chain neutron-l3-agent-float-snat (1 references)
num target prot opt source destination
1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129
2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130
3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131
Chain neutron-l3-agent-snat (1 references)
num target prot opt source destination
1 RETURN all -- anywhere 10.30.0.0/24
2 neutron-l3-agent-float-snat all -- anywhere anywhere
3 SNAT all -- anywhere anywhere to:172.24.4.3
4 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3
Chain neutron-postrouting-bottom (1 references)
num target prot opt source destination
1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */
After some time
=============
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-PREROUTING all -- anywhere anywhere
2 DNAT tcp -- ubuntu492e9c.ubuntussjc.com anywhere tcp dpt:3000 to:10.20.0.115:3000
3 DNAT tcp -- anywhere anywhere tcp dpt:3000 to:10.20.0.124:3000
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere
2 neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
num target prot opt source destination
1 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125
2 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126
3 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127
Chain neutron-l3-agent-POSTROUTING (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
num target prot opt source destination
1 REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
2 DNAT all -- anywhere 172.24.4.129 to:10.20.0.125
3 DNAT all -- anywhere 172.24.4.130 to:10.20.0.126
4 DNAT all -- anywhere 172.24.4.131 to:10.20.0.127
Chain neutron-l3-agent-float-snat (1 references)
num target prot opt source destination
1 SNAT all -- 10.20.0.125 anywhere to:172.24.4.129
2 SNAT all -- 10.20.0.126 anywhere to:172.24.4.130
3 SNAT all -- 10.20.0.127 anywhere to:172.24.4.131
Chain neutron-l3-agent-snat (1 references)
num target prot opt source destination
1 neutron-l3-agent-float-snat all -- anywhere anywhere
2 SNAT all -- anywhere anywhere to:172.24.4.3
3 SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.3
Chain neutron-postrouting-bottom (1 references)
num target prot opt source destination
1 neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1514769/+subscriptions
References
