On Sat, Jul 21, 2012 at 6:47 AM, Xu (Simon) Chen <xche...@gmail.com> wrote: > Narayan, > > If you do net.bridge.bridge-nf-call-iptables = 0 on the network controller, > does floating IP still work? For each tenant/network, a subnet is created, > and the nova-network has a .1 gateway configured on the bridge with the vlan > interface plugged in. > > The packets from VMs are actually sent to the bridge for NATting. But if you > doesn't allow the bridges to call iptables, it might break public access all > together. Don't know, maybe I'm not understanding the sysctl flag > correctly... Maybe it only applies to the packet transiting the bridge, not > impacting the ones destined to the nova-network?
Do you mean floating (private) or fixed (public) IPs? I suspect that you mean fixed. Fixed IPs worked regardless of this setting. The crux of the issue was that packets transiting the bridge (ie being moved from vlan200 to the virtual br200) were hitting filtering rules. It looks to me like the sysctls only apply to traffic moving across the bridge (ie exactly between vlan200 and br200), but don't bypass iptables entirely. I don't think that should effect NAT/SNAT in any case. -nld _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
