neutron

How to edit the SNAT rules of the L3 agent?

Asked by Asad

I just wanted to ask if it is possible to forward all packets that are received at the physical interface (eth0 which is added to br-ex) to the VM? I mean forwarding packets which don't have VM's IP as their destination IP.

I am using a single node openstack+neutron (openvswitch) environment with floating IPs assigned to the VM. The VM is able to receive packets from outside world which have its floating IP as destination IP address.

But I want to forward all traffic on the physical interface to this VM or even some packets that have different destination IP address.

I have tried adding rules into the br-ex bridge but the packets are not forwarded to VM.

Question information

Language:
English Edit question
Status:
Answered
For:
neutron Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Asad (asadxflow) said : 		#1

I have further looked into it and found that the neutron L3 agent which performs the SNAT (from qg-XXXX to qr-XXXX interface), drops the packets which are not in the private network and only forwards those packet (onto qr-XXXXX) which are in the private network.

Is it possible to edit the SNAT rules of the L3 agent so that it forwards packets of specific source/dest IPs to a certain VM?

Revision history for this message
Salvatore Orlando (salvatore-orlando) said : 		#2

I am not sure why you would do something like this, but that is beyond the scope of this question.

The following assumes you are running neutron with namespace support enabled.
If you want to alter NAT rules generated by the l3 agent, you need first to identify your router's namespace name.
The name is 'qrouter-%s' % router_id

Then in this namespace run iptables -nt nat --list

salvatore@ubuntu:~/devstack$ sudo ip netns exec qrouter-e9ba3b1f-9840-41d3-8aec-81977dee69b1 iptables -nt nat --list

The following chain contains the default SNAT rules.

neutron-vpn-agen-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 10.0.0.0/24 0.0.0.0/0 to:172.24.4.226

Please note however that your changes are likely to be overwritten when neutron server synchronizes the router with the l3 agent, which might happen, for instance, when a new subnet is added to the router.
For making persistent changes to satisfy your use case, the l3 agent code should be modified accordingly.

Can you help with this problem?

Provide an answer of your own, or ask Asad for more information if necessary.

To post a message you must log in.