On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
Hello,
We have a single node installation with RDO Kilo release. Network configuration
consist of 2 private networks and one of them is floating. Networks are routed
just inside the node. The problem I`m facing is when I try to configure the
DNAT rules to reroute the traffic/ports to VM. Initially the traffic to VM works
fine until neutron reorders the rules on top:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-openvswi-PREROUTING all -- anywhere anywhere
nova-api-PREROUTING all -- anywhere anywhere
Is there any way I can prevent this or set them with lower priority?
I guess my first question is, why are you manually adding DNAT rules? Why
aren't you letting Neutron manage iptables for the VMs? You would need to give
more information on the exact rule you are trying to add to help make things
clearer.
As a rule of thumb, it's a bad idea to try and add/remove iptables rules while
Neutron agents are running, you will eventually find yourself in a race
condition where rules are missing and things don't work. If you need to add a
rule I would recommend doing it before the agents are started, that way it will
get left alone.
-Brian
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
