[Yahoo-eng-team] [Bug 1925498] Re: SNAT is not working

Mon, 02 Dec 2024 17:30:21 -0800 

As there has been no updates for a few years, and Linuxbridge is
considered experimental, I'm going to close this bug. Please re-open if
necessary.

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1925498

Title:
  SNAT is not working

Status in neutron:
  Invalid

Bug description:
  Centos 8.3, Openstack Ussuri.
  I have 3 controllers node and 2 network nodes.
  I'm using self-service network with linuxbridge.
  The SNAT is not working. A tcpdump (in the destination) shows that the ip is 
not being masquerade. If I assing a floating IP, everything works.
  Here is the router iptables:
  # Generated by iptables-save v1.8.4 on Thu Apr 22 09:30:43 2021
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :neutron-filter-top - [0:0]
  :neutron-l3-agent-FORWARD - [0:0]
  :neutron-l3-agent-INPUT - [0:0]
  :neutron-l3-agent-OUTPUT - [0:0]
  :neutron-l3-agent-local - [0:0]
  :neutron-l3-agent-scope - [0:0]
  -A INPUT -j neutron-l3-agent-INPUT
  -A FORWARD -j neutron-filter-top
  -A FORWARD -j neutron-l3-agent-FORWARD
  -A OUTPUT -j neutron-filter-top
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A neutron-filter-top -j neutron-l3-agent-local
  -A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
  -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  -A neutron-l3-agent-scope -o qr-ba03dc8a-87 -m mark ! --mark 
0x4010000/0xffff0000 -j DROP
  COMMIT
  # Completed on Thu Apr 22 09:30:43 2021
  # Generated by iptables-save v1.8.4 on Thu Apr 22 09:30:43 2021
  *mangle
  :PREROUTING ACCEPT [0:0]
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  :neutron-l3-agent-FORWARD - [0:0]
  :neutron-l3-agent-INPUT - [0:0]
  :neutron-l3-agent-OUTPUT - [0:0]
  :neutron-l3-agent-POSTROUTING - [0:0]
  :neutron-l3-agent-PREROUTING - [0:0]
  :neutron-l3-agent-float-snat - [0:0]
  :neutron-l3-agent-floatingip - [0:0]
  :neutron-l3-agent-mark - [0:0]
  :neutron-l3-agent-scope - [0:0]
  -A PREROUTING -j neutron-l3-agent-PREROUTING
  -A INPUT -j neutron-l3-agent-INPUT
  -A FORWARD -j neutron-l3-agent-FORWARD
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING
  -A neutron-l3-agent-POSTROUTING -o qg-33922118-c1 -m connmark --mark 
0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000
  -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-mark
  -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-scope
  -A neutron-l3-agent-PREROUTING -m connmark ! --mark 0x0/0xffff0000 -j 
CONNMARK --restore-mark --nfmask 0xffff0000 --ctmask 0xffff0000
  -A neutron-l3-agent-PREROUTING -j neutron-l3-agent-floatingip
  -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp 
--dport 80 -j MARK --set-xmark 0x1/0xffff
  -A neutron-l3-agent-float-snat -m connmark --mark 0x0/0xffff0000 -j CONNMARK 
--save-mark --nfmask 0xffff0000 --ctmask 0xffff0000
  -A neutron-l3-agent-mark -i qg-33922118-c1 -j MARK --set-xmark 0x2/0xffff
  -A neutron-l3-agent-scope -i qr-ba03dc8a-87 -j MARK --set-xmark 
0x4010000/0xffff0000
  -A neutron-l3-agent-scope -i qg-33922118-c1 -j MARK --set-xmark 
0x4010000/0xffff0000
  COMMIT
  # Completed on Thu Apr 22 09:30:43 2021
  # Generated by iptables-save v1.8.4 on Thu Apr 22 09:30:43 2021
  *nat
  :PREROUTING ACCEPT [0:0]
  :INPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :neutron-l3-agent-OUTPUT - [0:0]
  :neutron-l3-agent-POSTROUTING - [0:0]
  :neutron-l3-agent-PREROUTING - [0:0]
  :neutron-l3-agent-float-snat - [0:0]
  :neutron-l3-agent-snat - [0:0]
  :neutron-postrouting-bottom - [0:0]
  -A PREROUTING -j neutron-l3-agent-PREROUTING
  -A POSTROUTING -j neutron-l3-agent-POSTROUTING
  -A POSTROUTING -j neutron-postrouting-bottom
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  -A neutron-l3-agent-POSTROUTING ! -o qg-33922118-c1 -m conntrack ! --ctstate 
DNAT -j ACCEPT
  -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp 
--dport 80 -j REDIRECT --to-ports 9697
  -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
  -A neutron-l3-agent-snat -o qg-33922118-c1 -m connmark --mark 
0x4010000/0xffff0000 -j ACCEPT
  -A neutron-l3-agent-snat -o qg-33922118-c1 -j SNAT --to-source X.X.X.X 
--random-fully
  -A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate 
DNAT -j SNAT --to-source X.X.X.X --random-fully
  -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on 
outgoing traffic." -j neutron-l3-agent-snat
  COMMIT
  # Completed on Thu Apr 22 09:30:43 2021
  # Generated by iptables-save v1.8.4 on Thu Apr 22 09:30:43 2021
  *raw
  :PREROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :neutron-l3-agent-OUTPUT - [0:0]
  :neutron-l3-agent-PREROUTING - [0:0]
  -A PREROUTING -j neutron-l3-agent-PREROUTING
  -A OUTPUT -j neutron-l3-agent-OUTPUT
  COMMIT
  # Completed on Thu Apr 22 09:30:43 2021

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1925498/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to