yep ... I just found the security issue too. My fault , thank you ! and sorry for it. walterxj From: Jorge Luiz CorreaDate: 2016-12-13 17:43To: walterxjCC: openstackSubject: Re: [Openstack] instance's provider network ip can not be accessed from outside.Hum, have you checked the security group rules? By default, all traffic can go out from VMs, but we need to create some rules to pass traffic from outside to VMs. I'm just making a bet. Maybe this iptables rule is the rule that drop the packets when there is no rule do pass them from outside to inside. :) - JLC On Tue, Dec 13, 2016 at 6:55 AM, walterxj <walte...@gmail.com> wrote: Hi, I'm following the guide of newton with CentOS7 (http://docs.openstack.org/newton/install-guide-rdo/neutron.html) ,everything seems OK but when I ping the vm's ip (in provider network) from node(assume nodeA) on the provider physical network ,it returns unreachable.But nodeA can reach the provider network's dhcp and gateway ip. Also the vm can reach dhcp and gateway and nodeA's IP. After a long time research I found that the problem resulted in the compute-node's iptables: there is an iptables chain for each bridge,just like: -A neutron-linuxbri-i7f605f37-f -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-linuxbri-sg-fallback,when I delete this chain,the vm's provider network ip can be reached! Everything works well.Is this a bug or I have misconfigured something? Any advice is appreciated ! walterxj _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
