Re: [Quantum-core] About iptables rules for linux bridge agent

Wed, 12 Dec 2012 12:19:21 -0800 

Hi Yong

No the pachet didn't go thorough PREROUTING chain
This the iptables log

Dec 12 12:04:16 nim20 kernel: [3090942.400310] FORWARDIN=brq5ed08abf-96
OUT=brq5ed08abf-96 PHYSIN=tapb9a5bbf7-ab PHYSOUT=tap4685e20a-82
MAC=fa:16:3e:9d:2d:6d:fa:16:3e:fd:f2:b6:08:00 SRC=10.1.0.4 DST=10.1.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38129 PROTO=ICMP TYPE=0 CODE=0 ID=29913
SEQ=334
Dec 12 12:04:17 nim20 kernel: [3090943.400074] FORWARDIN=brq5ed08abf-96
OUT=brq5ed08abf-96 PHYSIN=tap4685e20a-82 PHYSOUT=tapb9a5bbf7-ab
MAC=fa:16:3e:fd:f2:b6:fa:16:3e:9d:2d:6d:08:00 SRC=10.1.0.1 DST=10.1.0.4
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=29913
SEQ=335
Dec 12 12:04:17 nim20 kernel: [3090943.400314] FORWARDIN=brq5ed08abf-96
OUT=brq5ed08abf-96 PHYSIN=tapb9a5bbf7-ab PHYSOUT=tap4685e20a-82
MAC=fa:16:3e:9d:2d:6d:fa:16:3e:fd:f2:b6:08:00 SRC=10.1.0.4 DST=10.1.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38130 PROTO=ICMP TYPE=0 CODE=0 ID=29913
SEQ=335
Dec 12 12:04:18 nim20 kernel: [3090944.400077] FORWARDIN=brq5ed08abf-96
OUT=brq5ed08abf-96 PHYSIN=tap4685e20a-82 PHYSOUT=tapb9a5bbf7-ab
MAC=fa:16:3e:fd:f2:b6:fa:16:3e:9d:2d:6d:08:00 SRC=10.1.0.1 DST=10.1.0.4
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=29913
SEQ=336
Dec 12 12:04:18 nim20 kernel: [3090944.400302] FORWARDIN=brq5ed08abf-96
OUT=brq5ed08abf-96 PHYSIN=tapb9a5bbf7-ab PHYSOUT=tap4685e20a-82
MAC=fa:16:3e:9d:2d:6d:fa:16:3e:fd:f2:b6:08:00 SRC=10.1.0.4 DST=10.1.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38131 PROTO=ICMP TYPE=0 CODE=0 ID=29913
SEQ=336

2012年12月12日水曜日 gong yong sheng gong...@linux.vnet.ibm.com:

> Hi Nachi:
>
> I added some content into:
> https://docs.google.com/**document/d/**1hqcivTHnB7yrcs834CpM6XF6sUEdF**
> 98d0WGFctgtyMA/edit#<https://docs.google.com/document/d/1hqcivTHnB7yrcs834CpM6XF6sUEdF98d0WGFctgtyMA/edit#>
>
> they are sample nova instance iptables rules and ebtables rules.
>
>
> I think to separate the rules into different chains is feasible.
> Besides the concerns on review page,
> Use forward chain to prevent something out of VM is a little bit too late.
> We should be able to filter them earlier in prerouting chain.
>
> Another interesting stuff is that nova (via libvirtd) is also using NAT
> table to do it.
>
>
> Best regards,
> Yong Sheng Gong
>
>

-- 
Mailing list: https://launchpad.net/~quantum-core
Post to     : quantum-core@lists.launchpad.net
Unsubscribe : https://launchpad.net/~quantum-core
More help   : https://help.launchpad.net/ListHelp

Reply via email to