yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #70341
[Bug 1735866] Re: Snat namespace misses iptables rules for floating ip.
Reviewed: https://review.openstack.org/526995
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3
Submitter: Zuul
Branch: master
commit 0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3
Author: zhsun <zhsun@xxxxxxxxxxxxx>
Date: Mon Dec 11 14:17:33 2017 +0800
Add missing iptable rule in snat ns for centralized fips.
The following iptable rule should be added to snat ns:
"-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat",
or the snat rule will take effect instead of centralized fips
when accessing to the outside for vms.
Closes-Bug: #1735866
Change-Id: I286283bfb4dbf935a34c5919ee0af5225e75fac9
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1735866
Title:
Snat namespace misses iptables rules for floating ip.
Status in neutron:
Fix Released
Bug description:
The l3 agent mode is as follows:
Network:dvr_snat
Compute:dvr_no_external
1.Create a DVR. Then add interface and gateway to the DVR.
2.Create a vm and associate a floating ip to the vm.
3.Check snat ns on network nodes for the DVR.
4.the following iptables rule is missed in the snat namespace:
"-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat"
This results in that snat rules will work instead of floating ip when
accessing to the internet.
Adding following code at [1] can fix this:
self.snat_iptables_manager.ipv4['nat'].add_rule('snat',
'-j $float-snat')
[1]https://github.com/openstack/neutron/blob/master/neutron/agent/l3/dvr_edge_router.py#L197
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1735866/+subscriptions
