Hi Alex, a spoof filter is set by default to avoid that a VM can send packets whose source address is different from the VM's address. There's no option to change that.
cheers, Rossella On 09/25/2014 10:59 PM, Alexandre Levine wrote: > Hi All, > > I'm looking for a way to set port_filter flag to False for port binding. > Is there a way to do this in IceHouse or in current Juno code? I use > devstack with the default ML2 plugin and configuration. > > According to this guide > (http://docs.openstack.org/api/openstack-network/2.0/content/binding_ext_ports.html) > it should be done via binding:profile but it gets only recorded in the > dictionary of binding:profile and doesn't get reflected in vif_details > as supposed to. > > I tried to find any code in Neutron that can potentially do this > transferring from incoming binding:profile into binding:vif_details and > found none. > > I'd be very grateful if anybody can point me in the right direction. > > And by the by the reason I'm trying to do this is because I want to use > one instance as NAT for another one in private subnet. As a result of > ping 8.8.8.8 from private instance to NAT instance the reply gets > Dropped by the security rule in iptables on TAP interface of NAT > instance because the source is different from the NAT instance IP. So I > suppose that port_filter is responsible for this behavior and will > remove this restriction in iptables. > > Best regards, > Alex Levine > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
