Reviewed: https://review.openstack.org/526995 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3 Submitter: Zuul Branch: master
commit 0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3 Author: zhsun <[email protected]> Date: Mon Dec 11 14:17:33 2017 +0800 Add missing iptable rule in snat ns for centralized fips. The following iptable rule should be added to snat ns: "-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat", or the snat rule will take effect instead of centralized fips when accessing to the outside for vms. Closes-Bug: #1735866 Change-Id: I286283bfb4dbf935a34c5919ee0af5225e75fac9 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1735866 Title: Snat namespace misses iptables rules for floating ip. Status in neutron: Fix Released Bug description: The l3 agent mode is as follows: Network:dvr_snat Compute:dvr_no_external 1.Create a DVR. Then add interface and gateway to the DVR. 2.Create a vm and associate a floating ip to the vm. 3.Check snat ns on network nodes for the DVR. 4.the following iptables rule is missed in the snat namespace: "-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat" This results in that snat rules will work instead of floating ip when accessing to the internet. Adding following code at [1] can fix this: self.snat_iptables_manager.ipv4['nat'].add_rule('snat', '-j $float-snat') [1]https://github.com/openstack/neutron/blob/master/neutron/agent/l3/dvr_edge_router.py#L197 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1735866/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
