On 5/14/15 12:55 PM, Antonio Messina wrote:
On Thu, May 14, 2015 at 6:19 PM, Andrew Bogott <[email protected]> wrote:
OK, we've made some progress with this -- the solution seems to involve
changing my dmz_cidr setting and switching our bridge to promiscuous mode.
I don't have any dmz_cidr option in my nova.conf, so I don't know if
it's relevant.
My bridges, instead, are all in promiscuous mode (I forgot about
that). I don't remember the details but I kind of remember it was needed.
However -- I'm now unclear on whether this will fix all routing, or just
routing between instances that have floating IPs assigned (I have lots of
both.) Antonio, do all cases work? Or do you have floating ips assigned to
everything?
I'm pretty sure it will not work if the source VM doesn't have a
floating IP. The problem is, I think, that SNAT is usually performed
only to packets leaving the controller node on the public interface:
Argh! OK, that means that 'fixing' this issue will only make behavior
less consistent for my users. I guess I have to fix this in DNS instead :(
iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o eth3 -j
SNAT --to-source <public-ip-of-controller>
(this is the SNAT rule I have on my controller)
therefore, a packet
<fixed-ip-vm-A> => <floating-ip-vm-B>
is rewritten with a DNAT only, becoming:
<fixed-ip-vm-A> => <fixed-ip-vm-B>
This packet will reach vm-B that will answer with
<fixed-ip-vm-B> => <fixed-ip-vm-A>
which is not recognized by vm-B as part of any connection it
initiated.
Maybe you could try to manually add an additional rule like:
iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o br100 -j
SNAT --to-source <public-ip-of-controller>
but I don't know if I'm missing something. Last time I had to fix this
I spent some time with pen and paper trying to sketch the flow of
packets through the iptables rules :)
.a.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
