Hello Ian, Found some anti-spoofing rules in the ebtables (ebtables -t nat -L) of the compute-host where my router VM is located. These rules are automatically generated by libvirt for each VM and are usually generated from a preset of rules (anti-ip-spoofing.xml). Disabling this rule didn't help as I found later that there are some iptables chains also on the compute host that did some anti-spoofing filtering (iptables -t filter -L). So one need to disable the libvirt anti-ip-spoofing and the iptables anti-spoofing. I disabled the libvirt anti-ip-spoofing by removing the filter from nova-base (virsh nwfilter-edit nova-base) and manually added a rule to iptables.
Thanks a lot. Abbass. > Randy has it spot on. The antispoofing rules prevent you from doing this > in Neutron. Clearly a router transmits traffic that isn't from it, and > receives traffic that isn't addressed to it - and the port filtering > discards them. > > You can disable them for the entire cloud by judiciously tweaking the Nova > config settings, or if you're using the Nicira plugin you'll find it has > extensions for modifying firewall behaviour (they could do with porting > around, or even becoming core, but at the moment they're Nicira-specific). > -- > Ian. >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
