That looks like a support request rhather than a bug.
You should not add iptables rules directly to neutron namespaces, because
they're managed by neutron.
There's no guarantee that that manually added rule will persist.
You should be doing this via security groups or floatingips using
neutorn API.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1514769
Title:
qrouter loosing iptable entry after certain frequency.
Status in neutron:
Invalid
Bug description:
Hi Everyone,
We have made iptable entry to qrouter for getting access outside
public instances but we found qrouter is loosing iptable entry after
some time because of that instances are loosing connection between
outside instance.
we are using DevStack stable/liberty
After adding iptable Rule
====================
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 iptables -I
neutron-l3-agent-snat -t nat -d 10.30.0.0/24 -j RETURN
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo
iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-PREROUTING all -- anywhere anywhere
2 DNAT tcp -- ubuntu492e9c.ubuntusjc.com anywhere tcp
dpt:3000 to:10.20.0.115:3000
3 DNAT tcp -- anywhere anywhere tcp
dpt:3000 to:10.20.0.124:3000
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere
2 neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
num target prot opt source destination
1 DNAT all -- anywhere 172.24.4.129
to:10.20.0.125
2 DNAT all -- anywhere 172.24.4.130
to:10.20.0.126
3 DNAT all -- anywhere 172.24.4.131
to:10.20.0.127
Chain neutron-l3-agent-POSTROUTING (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ! ctstate
DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
num target prot opt source destination
1 REDIRECT tcp -- anywhere 169.254.169.254 tcp
dpt:http redir ports 9697
2 DNAT all -- anywhere 172.24.4.129
to:10.20.0.125
3 DNAT all -- anywhere 172.24.4.130
to:10.20.0.126
4 DNAT all -- anywhere 172.24.4.131
to:10.20.0.127
Chain neutron-l3-agent-float-snat (1 references)
num target prot opt source destination
1 SNAT all -- 10.20.0.125 anywhere
to:172.24.4.129
2 SNAT all -- 10.20.0.126 anywhere
to:172.24.4.130
3 SNAT all -- 10.20.0.127 anywhere
to:172.24.4.131
Chain neutron-l3-agent-snat (1 references)
num target prot opt source destination
1 RETURN all -- anywhere 10.30.0.0/24
2 neutron-l3-agent-float-snat all -- anywhere anywhere
3 SNAT all -- anywhere anywhere
to:172.24.4.3
4 SNAT all -- anywhere anywhere mark match
! 0x2/0xffff ctstate DNAT to:172.24.4.3
Chain neutron-postrouting-bottom (1 references)
num target prot opt source destination
1 neutron-l3-agent-snat all -- anywhere anywhere
/* Perform source NAT on outgoing traffic. */
After some time
=============
$ sudo ip netns exec qrouter-b74e8aec-2d7d-4f4f-823e-bc12ae0040e4 sudo
iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-PREROUTING all -- anywhere anywhere
2 DNAT tcp -- ubuntu492e9c.ubuntussjc.com anywhere
tcp dpt:3000 to:10.20.0.115:3000
3 DNAT tcp -- anywhere anywhere tcp
dpt:3000 to:10.20.0.124:3000
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 neutron-l3-agent-POSTROUTING all -- anywhere anywhere
2 neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
num target prot opt source destination
1 DNAT all -- anywhere 172.24.4.129
to:10.20.0.125
2 DNAT all -- anywhere 172.24.4.130
to:10.20.0.126
3 DNAT all -- anywhere 172.24.4.131
to:10.20.0.127
Chain neutron-l3-agent-POSTROUTING (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ! ctstate
DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
num target prot opt source destination
1 REDIRECT tcp -- anywhere 169.254.169.254 tcp
dpt:http redir ports 9697
2 DNAT all -- anywhere 172.24.4.129
to:10.20.0.125
3 DNAT all -- anywhere 172.24.4.130
to:10.20.0.126
4 DNAT all -- anywhere 172.24.4.131
to:10.20.0.127
Chain neutron-l3-agent-float-snat (1 references)
num target prot opt source destination
1 SNAT all -- 10.20.0.125 anywhere
to:172.24.4.129
2 SNAT all -- 10.20.0.126 anywhere
to:172.24.4.130
3 SNAT all -- 10.20.0.127 anywhere
to:172.24.4.131
Chain neutron-l3-agent-snat (1 references)
num target prot opt source destination
1 neutron-l3-agent-float-snat all -- anywhere anywhere
2 SNAT all -- anywhere anywhere
to:172.24.4.3
3 SNAT all -- anywhere anywhere mark match
! 0x2/0xffff ctstate DNAT to:172.24.4.3
Chain neutron-postrouting-bottom (1 references)
num target prot opt source destination
1 neutron-l3-agent-snat all -- anywhere anywhere
/* Perform source NAT on outgoing traffic. */
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1514769/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
