| That's right Not redone everytime but updated and checked non-stop When you restart the services then yes, everything is flushed and redone, so if you manually enter some iptables rules, they won't persist afterwards :)
Razique Mahroua - Nuage & CoTel : +33 9 72 37 94 15 
Razique,
Thanks for the response.
If I understand you correctly, you're saying that the iptables rules are redone by nova-compute or the quantum agents every time a network is added or removed and because of that, static rules will be lost. Is that correct?
The installation I'm working with provides pre-configured networks for instances to use. If the available networks is stable, should not the static rules survive?
Craig
On 08/29/2013 03:36 PM, Razique Mahroua wrote:
That means you shouldn't use iptables for your custom rules since OpenStack
manages iptables and everytime the network is updated, iptables is impacted. If
you restart nova-netork for instance, then all the iptables rules are flushed
and recreated according to your network topology.
The iptables service doesn't need to be turned off (is that even possible?),
just make sure not to create routing rules manually that might conflict with the
rules OpenStack sets :)
*Razique Mahroua** - **Nuage & Co*
razique.mahr...@gmail.com <mailto:razique.mahr...@gmail.com>
Tel : +33 9 72 37 94 15
Le 28 août 2013 à 19:08, Craig E. Ward <cw...@isi.edu <mailto:cw...@isi.edu>> a
écrit :
I have an OpenStack Folsom, with Quantum networking, installation that I'm
having trouble getting additional rules into the iptables on nova-compute
nodes. The online manual
(http://docs.openstack.org/trunk/openstack-ops/content/iptables.html) states
that "You must use OpenStack to manage iptables." What it doesn't include is
any indication of how that is done. How can iptables be managed with OpenStack?
When I add rules to the file /etc/sysconfig/iptables, sometimes the
nova-compute service fails to work properly. A new instance on the node may
not get an IP address or the vnc service in Horizon does not respond. The
instance is listed in the database with an assigned IP, but the address is not
reachable.
Does the iptables service need to be "off" in the context of chkconfig? That
is, don't let it start through the rc sequence, but let nova-compute start it
and populate the rules?
If iptables is started in the rc sequence, then are there some rules that
should not be in /etc/sysconfig/iptables?
If the rc sequence is not used, how do ports unrelated to OpenStack services
get enabled?
Does the default response for a packet sent to non-OpenStack related port drop
the packet or let it pass?
Thanks,
Craig
--
Craig E. Ward
Information Sciences Institute
University of Southern California
cw...@isi.edu <mailto:cw...@isi.edu>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Craig E. Ward
Information Sciences Institute
University of Southern California
cw...@isi.edu
|
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
