OK, that sounds good... I was talking about fixed IP to floating IP SNAT, which happens on the bridge interfaces. But if the sysctl flag only affects transiting packets, we should be good...
-Simon On Sat, Jul 21, 2012 at 8:15 AM, Narayan Desai <narayan.de...@gmail.com>wrote: > On Sat, Jul 21, 2012 at 6:47 AM, Xu (Simon) Chen <xche...@gmail.com> > wrote: > > Narayan, > > > > If you do net.bridge.bridge-nf-call-iptables = 0 on the network > controller, > > does floating IP still work? For each tenant/network, a subnet is > created, > > and the nova-network has a .1 gateway configured on the bridge with the > vlan > > interface plugged in. > > > > The packets from VMs are actually sent to the bridge for NATting. But if > you > > doesn't allow the bridges to call iptables, it might break public access > all > > together. Don't know, maybe I'm not understanding the sysctl flag > > correctly... Maybe it only applies to the packet transiting the bridge, > not > > impacting the ones destined to the nova-network? > > Do you mean floating (private) or fixed (public) IPs? I suspect that > you mean fixed. Fixed IPs worked regardless of this setting. > > The crux of the issue was that packets transiting the bridge (ie being > moved from vlan200 to the virtual br200) were hitting filtering rules. > It looks to me like the sysctls only apply to traffic moving across > the bridge (ie exactly between vlan200 and br200), but don't bypass > iptables entirely. I don't think that should effect NAT/SNAT in any > case. > -nld >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
