neutron

Quantum OVS multiple networks

Asked by Mohammad Banikazemi

Here is a question that I have not been able to find an answer to. I try to make the problem as clear as possible:

I have two servers: Server A and Server B. Server A installed using devstack runs all the services including Quantum with OVS.
Server B is a Compute node only with Quantum OVS agent.

I create two networks: one for the Admin project (9.9.9.0/24) and one for the Demo project (9.9.8.0/24) .

Then I start creating VMs for each project which get created alternatively on Server A and Server B. After creating a few VMs I have the following:

Server A VMs: admin1, admin3, admin5, demo1, demo3, demo5 (all having correct IP like 9.9.9.2 and 9.9.8.2, etc)
Server B VMs: admin2, admin4, admin6, demo2, demo4, demo6 (all having correct IP like 9.9.9.3 and 9.9.8.3, etc)

Now from VMs on each network I can ping other VMs on the same network. So far so good.

Then I try pining nodes on the other network and I notice the following:

From each VM on Server A I can also ping the VMs on Server B which are on the other network.
For example from admin1, I can ping demo2, demo4, and demo6 even though I cannot ping demo1, demo3, and demo5.

Why? What am I doing wrong?

This is the traceroute from 9.9.9.2 on Server A to 9.9.8.4 on server B. The ping works while it should not.

% traceroute to 9.9.8.4 (9.9.8.4), 30 hops max, 46 byte packets
 1 reserved-9-9-9-1.atlanta.ibm.com (9.9.9.1) 0.477 ms 0.183 ms 0.188 ms
 2 9.9.8.4 (9.9.8.4) 0.988 ms 0.596 ms 0.522 ms

This is the traceroute from 9.9.9.2 on Server A to 9.9.8.5 on Server A. The ping does not work as expected:
% traceroute to 9.9.8.5 (9.9.8.5), 30 hops max, 46 byte packets
 1 reserved-9-9-9-1.atlanta.ibm.com (9.9.9.1) 0.444 ms 0.239 ms 0.223 ms
 2 * * *
 3 * * *

Here is the route table on Server A:

mb@sysnet45:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 9.2.156.65 0.0.0.0 UG 0 0 0 eth1
9.2.156.64 * 255.255.255.192 U 0 0 0 eth1
9.9.8.0 * 255.255.255.0 U 0 0 0 gw-f25ffc5e-d3
9.9.9.0 * 255.255.255.0 U 0 0 0 gw-e84cecf1-06
10.0.0.0 * 255.255.255.0 U 0 0 0 gw-9ad6270b-f7
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

Here is the route table on Server B:

mb@sysnet43:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 9.2.156.65 0.0.0.0 UG 100 0 0 eth1
localnet * 255.255.255.192 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

Question information

Language:
English Edit question
Status:
Answered
For:
neutron Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Salvatore Orlando (salvatore-orlando) said : 		#1

Hi Mohammad,

very interesting question. Thanks for posting such a great deal of details!

Assuming "admin" and "demo" are your "tenants", it looks like "admin" VM on server A cannot ping "demo" VMs on server A while they can ping them on server B, while they should not.

The traceroute seems to show a packet leaving "admin" VM on server A, going through some router/gateway, and finally reaching a VM for tenant "demo" on server B. If that is correct, the traffic is leaving the Quantum network on server A, and then is getting back in it on server B; in this case I wonder how OVS has been configured on the two hosts and whether IP routing is changing the way in which the packets are being forwarded between the two hosts.

From the routing table for server A, I some routes specific for the tenant networks (9.9.8.0/24 and 9.9.9.0/24).
1) Are they routing the packets for these networks to a router which performs VLAN termination?
2) How are the OVS instances on server A and server B connected each other?
3) Are there interfaces different from VIFs, GRE tunnels, and 'patch interfaces' plugged into the OVS instances?

Regards,
Salvatore

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#2

Thanks for the response.
Server A and Server B are connected to each other through their eth1 interfaces which are connected to a single switch with no other connections. (eth0 on both servers are connected to our internal network and Internet.)
I am ot sure about what this particular switch does but I would thing it is not tha cause of our issues because traffic gets passed through it for some of the ping operations.

There are no other interfaces of the OVS as listed below.

Please let me know if there are other pieces of information that can be helpful.

Thanks,

-Mohammad

On Server A: The three gateways are for my three networks and the tap interfaces are for the four running VMs right now.

mb@sysnet45:~$ sudo ovs-vsctl list-br
br-int
mb@sysnet45:~$ sudo ovs-vsctl list-ports br-int
eth0
gw-9ad6270b-f7
gw-e84cecf1-06
gw-f25ffc5e-d3
tapaf08a421-b7
tapc9e6c971-b4
tapd56b38e0-66
tapf059b70a-ec

On Server B: the tap interfaces are for the five running VMs right now.

mb@sysnet43:~$ sudo ovs-vsctl list-br
br-int
mb@sysnet43:~$ sudo ovs-vsctl list-ports br-int
eth0
tap062e466f-c7
tap0abbbcb6-72
tap2d7c1378-fe
tap92d4d472-95
tap961b958b-d1

Revision history for this message
dan wendlandt (danwent) said : 		#3

Hi Mohammad, thanks for the detailed write-up. Seems like this may be a bug.

I'd like to clarify one thing though: the "correct" behavior is actually that VMs from the two networks CAN reach each other, but only after traversing an L3 hop. This at least, is based on a discussion I had with Vish about how VLANManager works (which is essentially what Quantum emulates if you create per-project networks). I think the reason it works that way is that they were emulating Amazon, where you have "internal" IPs that can all reach each other, then public floating IPs that cannot. In Folsom Quantum will get rid of the old nova networking L3 code and will support much richer configuration of L3 topologies. In the mean time, we're stuck with what was in Nova.

So with that in mind, the real question is why we can't connect to VMs in the other subnet when they are on the same host. Running tcpdump on the gateway interfaces that should be receiving and forwarding the traffic should be informative. The devices are named with the pattern gw-*, where * is the start of the network uuid visible if you run "quantum list_nets <tenant-id>" or "nova-manage network quantum_list". In the case where traffic does not flow, it would be interesting to see whether the traffic is reaching the gateway device for the 9.9.9.0/24 subnet, and if so, whether it is leaving the gateway device for the 9.9.8.0/24 subnet.

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#4

Looks like things do not get passed the 9.9.9.0 gateway.

Below I am copying the output for both gateways and for two cases: first where the ping is not successful and then the case where ping is successful. (I can attach the complete output of these files if i can figure out how to do it here.)

Case 1 - Here is the case where 9.9.9.2 on Server A canNOT ping 9.9.8.5 on Server A:

on the 9.9.9.0 gatway:
-------------------------------------------------------------------------------
13:44:29.433031 IP (tos 0xc0, ttl 64, id 7316, offset 0, flags [none], proto ICMP (1), length 367)
    9.9.9.2 > 9.2.156.126: ICMP 9.9.9.2 udp port 68 unreachable, length 347
        IP (tos 0x0, ttl 64, id 58981, offset 0, flags [none], proto UDP (17), length 339)
    9.2.156.126.67 > 9.9.9.2.68: [udp sum ok] BOOTP/DHCP, Reply, length 311, xid 0x7a24b831, Flags [none] (0x0000)
          Client-IP 9.9.9.2
          Your-IP 9.9.9.2
          Server-IP 9.9.9.1
          Client-Ethernet-Address 02:16:3e:22:06:15
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 9.9.9.1
            Lease-Time Option 51, length 4: 120
            RN Option 58, length 4: 56
            RB Option 59, length 4: 101
            Subnet-Mask Option 1, length 4: 255.255.255.0
            BR Option 28, length 4: 9.9.9.255
            Default-Gateway Option 3, length 4: 9.9.9.1
            Domain-Name-Server Option 6, length 4: 9.9.9.1
            Domain-Name Option 15, length 9: "novalocal"
            Hostname Option 12, length 6: "host-9"
13:44:29.745432 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.9.9.2 > 9.9.8.5: ICMP echo request, id 26981, seq 13, length 64
13:44:30.746177 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.9.9.2 > 9.9.8.5: ICMP echo request, id 26981, seq 14, length 64
13:44:31.746438 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.9.9.2 > 9.9.8.5: ICMP echo request, id 26981, seq 15, length 64

on the 9.9.8.0 gatway:
-------------------------------------------------------------------------------
nothing here

--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------

Case 2 - Here is the case where 9.9.9.2 on Server A can ping 9.9.8.4 on Server B:

on the 9.9.9.0 gatway:
-------------------------------------------------------------------------------

13:39:03.856916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.9.9.2 > 9.9.8.4: ICMP echo request, id 17765, seq 96, length 64
13:39:03.857260 IP (tos 0x0, ttl 63, id 6921, offset 0, flags [none], proto ICMP (1), length 84)
    9.9.8.4 > 9.9.9.2: ICMP echo reply, id 17765, seq 96, length 64
13:39:04.857154 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.9.9.2 > 9.9.8.4: ICMP echo request, id 17765, seq 97, length 64
13:39:04.857544 IP (tos 0x0, ttl 63, id 6922, offset 0, flags [none], proto ICMP (1), length 84)
    9.9.8.4 > 9.9.9.2: ICMP echo reply, id 17765, seq 97, length 64

on the 9.9.8.0 gatway:
-------------------------------------------------------------------------------

13:41:00.567548 IP (tos 0xc0, ttl 64, id 59262, offset 0, flags [none], proto ICMP (1), length 367)
    9.9.8.4 > 9.9.8.1: ICMP 9.9.8.4 udp port 68 unreachable, length 347
        IP (tos 0x0, ttl 64, id 40594, offset 0, flags [none], proto UDP (17), length 339)
    9.9.8.1.67 > 9.9.8.4.68: [udp sum ok] BOOTP/DHCP, Reply, length 311, xid 0x1f5bba01, Flags [none] (0x0000)
          Client-IP 9.9.8.4
          Your-IP 9.9.8.4
          Server-IP 9.9.8.1
          Client-Ethernet-Address 02:16:3e:40:a1:98
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 9.9.8.1
            Lease-Time Option 51, length 4: 120
            RN Option 58, length 4: 54
            RB Option 59, length 4: 99
            Subnet-Mask Option 1, length 4: 255.255.255.0
            BR Option 28, length 4: 9.9.8.255
            Default-Gateway Option 3, length 4: 9.9.8.1
            Domain-Name-Server Option 6, length 4: 9.9.8.1
            Domain-Name Option 15, length 9: "novalocal"
            Hostname Option 12, length 6: "host-9"
13:41:00.898569 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.2.156.126 > 9.9.8.4: ICMP echo request, id 17765, seq 213, length 64
13:41:00.898869 IP (tos 0x0, ttl 64, id 7038, offset 0, flags [none], proto ICMP (1), length 84)
    9.9.8.4 > 9.2.156.126: ICMP echo reply, id 17765, seq 213, length 64
13:41:01.898877 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    9.2.156.126 > 9.9.8.4: ICMP echo request, id 17765, seq 214, length 64
13:41:01.899219 IP (tos 0x0, ttl 64, id 7039, offset 0, flags [none], proto ICMP (1), length 84)
    9.9.8.4 > 9.2.156.126: ICMP echo reply, id 17765, seq 214, length 64
13:41:02.899334 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (

Revision history for this message
dan wendlandt (danwent) said : 		#5

Hi, I noticed that in the case that the ping works, the source IP address in the tcpdump changes by the time the traffic is exiting the 9.9.8.0 gateway. I suspect that the traffic is actually being SNATed. Is 9.2.156.126 the "public" IP of your network node?

If so, I think it would be useful to see the iptables rules on that host.

Revision history for this message
Salvatore Orlando (salvatore-orlando) said : 		#6

I agree with Dan that SNAT appears to be occuring when a packet is sent from server B.
It also seems that SNAT is not occuring from server A to server B (I would have expected the 9.9.8.0 to receive pkt with altered src IP as the 9.9.9.0 gateway)

iptables rules would be extremely interesting. Understanding whether 9.2.156.126 belongs to the nova's network node (as public IP) or is just the IP address associated with eth1 could also be helpful.

You might provide also (if possible) - output from ovs-dpctl dump-flows br-int on both servers (I typically run it in a rather rude form: watch --interval=0.5 "date >> output.txt; ovs-dpctl dump-flows br-int >> output.txt"). This will let us understand where packets sents from server B are forwarded and vice-versa.

You can use paste.openstack.org for pasting large chunks of text.

Salvatore

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#7

Yes, 9.2.156.126 is the public IP of Server A (eth0).
Here is the output of iptables for this server followed by that of Server B (9.2.156.124):

mb@sysnet45: ~mb@sysnet45:~$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-compute-INPUT all -- anywhere anywhere
nova-network-INPUT all -- anywhere anywhere
nova-manage-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT gre -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
nova-manage-FORWARD all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
nova-manage-OUTPUT all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere

Chain nova-api-FORWARD (1 references)
target prot opt source destination

Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere sysnet45.watson.ibm.com tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target prot opt source destination

Chain nova-api-local (1 references)
target prot opt source destination

Chain nova-compute-FORWARD (1 references)
target prot opt source destination

Chain nova-compute-INPUT (1 references)
target prot opt source destination

Chain nova-compute-OUTPUT (1 references)
target prot opt source destination

Chain nova-compute-inst-12 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- reserved-9-9-9-1.atlanta.ibm.com anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.9.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-3 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- sysnet45.local anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.8.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-7 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- reserved-9-9-9-1.atlanta.ibm.com anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.9.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-9 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- sysnet45.local anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.8.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-local (1 references)
target prot opt source destination
nova-compute-inst-3 all -- anywhere 9.9.8.2
nova-compute-inst-7 all -- anywhere reserved-9-9-9-2.atlanta.ibm.com
nova-compute-inst-9 all -- anywhere 9.9.8.5
nova-compute-inst-12 all -- anywhere reserved-9-9-9-4.atlanta.ibm.com

Chain nova-compute-provider (4 references)
target prot opt source destination

Chain nova-compute-sg-fallback (4 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- anywhere anywhere
nova-network-local all -- anywhere anywhere
nova-manage-local all -- anywhere anywhere
nova-api-local all -- anywhere anywhere

Chain nova-manage-FORWARD (1 references)
target prot opt source destination

Chain nova-manage-INPUT (1 references)
target prot opt source destination

Chain nova-manage-OUTPUT (1 references)
target prot opt source destination

Chain nova-manage-local (1 references)
target prot opt source destination

Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain

Chain nova-network-OUTPUT (1 references)
target prot opt source destination

Chain nova-network-local (1 references)
target prot opt source destination

========================================================

Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-compute-INPUT all -- anywhere anywhere
ACCEPT gre -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere

Chain nova-compute-FORWARD (1 references)
target prot opt source destination

Chain nova-compute-INPUT (1 references)
target prot opt source destination

Chain nova-compute-OUTPUT (1 references)
target prot opt source destination

Chain nova-compute-inst-11 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- 9.9.8.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.8.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-13 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- reserved-9-9-9-1.atlanta.ibm.com anywhere udp spt:bootps dpt:bootpc
ACCEPT udp -- 10.0.0.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.9.0/24 anywhere
ACCEPT all -- 10.0.0.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-5 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- 9.9.8.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.8.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-inst-8 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- reserved-9-9-9-1.atlanta.ibm.com anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 9.9.9.0/24 anywhere
nova-compute-sg-fallback all -- anywhere anywhere

Chain nova-compute-local (1 references)
target prot opt source destination
nova-compute-inst-5 all -- anywhere 9.9.8.4
nova-compute-inst-8 all -- anywhere wrp-bc-1a-ge2-1.atlanta.ibm.com
nova-compute-inst-11 all -- anywhere 9.9.8.7
nova-compute-inst-13 all -- anywhere reserved-9-9-9-5.atlanta.ibm.com
nova-compute-inst-13 all -- anywhere 10.0.0.6

Chain nova-compute-provider (4 references)
target prot opt source destination

Chain nova-compute-sg-fallback (4 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- anywhere anywhere

Revision history for this message
Brad Hall (bgh) said : 		#8

Hi Mohammad,

Can you also paste the output of iptables -L -n -t nat?

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#9

Sure.

Here is the new data from Server A (9.2.156.126 running all of nova services):

script started on Tue 20 Mar 2012 03:20:17 PM EDT
mb@sysnet45:~$ sudo iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-network-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-manage-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-api-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
nova-network-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
nova-manage-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-network-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-manage-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-api-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24

Chain nova-api-OUTPUT (1 references)
target prot opt source destination

Chain nova-api-POSTROUTING (1 references)
target prot opt source destination

Chain nova-api-PREROUTING (1 references)
target prot opt source destination

Chain nova-api-float-snat (1 references)
target prot opt source destination

Chain nova-api-snat (1 references)
target prot opt source destination
nova-api-float-snat all -- 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-OUTPUT (1 references)
target prot opt source destination

Chain nova-compute-POSTROUTING (1 references)
target prot opt source destination

Chain nova-compute-PREROUTING (1 references)
target prot opt source destination

Chain nova-compute-float-snat (1 references)
target prot opt source destination

Chain nova-compute-snat (1 references)
target prot opt source destination
nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0

Chain nova-manage-OUTPUT (1 references)
target prot opt source destination

Chain nova-manage-POSTROUTING (1 references)
target prot opt source destination

Chain nova-manage-PREROUTING (1 references)
target prot opt source destination

Chain nova-manage-float-snat (1 references)
target prot opt source destination

Chain nova-manage-snat (1 references)
target prot opt source destination
nova-manage-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 9.9.9.0/24 0.0.0.0/0 to:9.2.156.126

Chain nova-network-OUTPUT (1 references)
target prot opt source destination

Chain nova-network-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 10.128.0.0/24
ACCEPT all -- 10.0.0.0/24 10.0.0.0/24 ! ctstate DNAT

Chain nova-network-PREROUTING (1 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 169.254.169.254 tcp dpt:80 to:9.2.156.126:8775

Chain nova-network-float-snat (1 references)
target prot opt source destination

Chain nova-network-snat (1 references)
target prot opt source destination
nova-network-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 10.0.0.0/24 0.0.0.0/0 to:9.2.156.126

Chain nova-postrouting-bottom (1 references)
target prot opt source destination
nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0
nova-network-snat all -- 0.0.0.0/0 0.0.0.0/0
nova-manage-snat all -- 0.0.0.0/0 0.0.0.0/0
nova-api-snat all -- 0.0.0.0/0 0.0.0.0/0

========== and below from Server B (running as nova compute):

Script started on Tue 20 Mar 2012 03:21:05 PM EDT
mb@sysnet43:~$ sudo iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-OUTPUT (1 references)
target prot opt source destination

Chain nova-compute-POSTROUTING (1 references)
target prot opt source destination

Chain nova-compute-PREROUTING (1 references)
target prot opt source destination

Chain nova-compute-float-snat (1 references)
target prot opt source destination

Chain nova-compute-snat (1 references)
target prot opt source destination
nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0

Chain nova-postrouting-bottom (1 references)
target prot opt source destination
nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0

Revision history for this message
Brad Hall (bgh) said : 		#10

one more thing: on both nodes, can you paste the output of: "ovs-ofctl dump-flows br-int" please

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#11

Sure.

On Server A:

mb@sysnet45:~$ sudo ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=411937.037s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=3 actions=drop
 cookie=0x0, duration=411934.967s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=2 actions=drop
 cookie=0x0, duration=411334.842s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=7 actions=drop
 cookie=0x0, duration=412155.689s, table=0, n_packets=882468, n_bytes=111928515, priority=1 actions=NORMAL

============================================================================

mb@sysnet43:~$ sudo ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=411739.341s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=1 actions=drop
 cookie=0x0, duration=370942.723s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=5 actions=drop
 cookie=0x0, duration=412054.101s, table=0, n_packets=582126, n_bytes=71555265,priority=1 actions=NORMAL
mb@sysnet43:~$

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#12

Just wondering if you found any clues as to what may be going on here?
Thanks.

Revision history for this message
dan wendlandt (danwent) said : 		#13

Have you tried running this setup without Quantum and seeing if it works? For Essex, Quantum basically just uses existing Nova code for L3 functionality. If its unique to Quantum, bhall is the best person to look at it, but he has been OOO for the past few days.

What you're doing SHOULD work, but it is a somewhat non-standard config and may not have been tested well. Usually if you were doing a multi-node setup with L3 functionality, nova-network would either be running only on a dedicated controller node, or on each node (with the multi_host flag set to True, which works only for non-Quantum deployments).

Revision history for this message
Launchpad Janitor (janitor) said : 		#14

This question was expired because it remained in the 'Needs information' state without activity for the last 15 days.

Revision history for this message
Mohammad Banikazemi (mb-s) said : 		#15

Looking back at this problem...
I don't know if this is the reason but here is what I have noticed from looking at the entries in the nat table.
Let's say I have a 10.0.0.0/24 public network. After I create a private network, say 10.6.0.0/24 Here are a couple of entries from the nat table:

SNAT all -- 10.6.0.0/24 anywhere to:9.2.156.126
SNAT all -- 10.0.0.0/24 anywhere to:9.2.156.126

This is after creating a new 10.6.0.0 network. Then if I add yet another network (10.8.0.0/24). Here are the table entries:

SNAT all -- 10.8.0.0/24 anywhere to:9.2.156.126
SNAT all -- 10.0.0.0/24 anywhere to:9.2.156.126

As you can see the entry for public network 10.0.0.0 remains but the entry for 10.6 network is replaced by the entry for the newer network. Is this how it should be?

Revision history for this message
Havent (guestly) said : 		#16

Do you have any further resolution about this problem?

Revision history for this message
dan wendlandt (danwent) said : 		#17

Sorry for the delay, I'm really swamped with dev work and questions.

So I was able to reproduce something that seems similar to what you've reported.

I did seem to confirm that the iptables rules are the culprit though, since running "sudo iptables -F" allows the VMs that couldn't ping start to ping.

After some sleuthing I believe it is firewall rules intended to implement a portion of security group filtering that are resulting in the behavior. Disabling the security groups using the following rule in nova.conf worked for me:

firewall_driver=nova.virt.firewall.NoopFirewallDriver

Revision history for this message
Havent (guestly) said : 		#18

I also have this problem. I founded that my iptables has a new rule after I created a network 192.168.208.0/24 and a VM 8.8.8.6/192.168.208.2, and I can ping 8.8.8.6 but cannot 192.168.208.2 :

-A nova-manage-snat -s 192.168.208.0/24 -j SNAT --to-source 10.131.0.244

when I delete this rule, I can ping 192.168.208.2, and when I create a new network and new VM, this rule was replaced by the new network.

As below, are my iptables rules BEFORE CREATING NETWORK, AFTER CREATING NETWORK and AFTER CREATING VM:

BEFORE CREATING NETWORK:
# Generated by iptables-save v1.4.12 on Wed May 16 14:51:31 2012
*mangle
:PREROUTING ACCEPT [245736:216294003]
:INPUT ACCEPT [57864:32422084]
:FORWARD ACCEPT [184175:182659303]
:OUTPUT ACCEPT [53384:31506313]
:POSTROUTING ACCEPT [237564:214167256]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed May 16 14:51:31 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:51:31 2012
*nat
:PREROUTING ACCEPT [135:35818]
:INPUT ACCEPT [54:10054]
:OUTPUT ACCEPT [22:1351]
:POSTROUTING ACCEPT [22:1351]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-POSTROUTING - [0:0]
:nova-manage-PREROUTING - [0:0]
:nova-manage-float-snat - [0:0]
:nova-manage-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-manage-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-manage-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-manage-snat -j nova-manage-float-snat
-A nova-manage-snat -s 192.168.207.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.131.0.244/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.128.0.0/24 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.131.0.244:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.200.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 8.8.8.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 7.7.7.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 9.9.9.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.201.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.202.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.203.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.204.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.205.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 6.6.6.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 5.5.5.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 18.18.18.0/24 -j SNAT --to-source 10.131.0.244
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-manage-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Wed May 16 14:51:31 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:51:31 2012
*filter
:INPUT ACCEPT [4078:2021343]
:FORWARD ACCEPT [5005:306502]
:OUTPUT ACCEPT [3747:2009987]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-54 - [0:0]
:nova-compute-inst-55 - [0:0]
:nova-compute-inst-56 - [0:0]
:nova-compute-inst-57 - [0:0]
:nova-compute-inst-58 - [0:0]
:nova-compute-inst-59 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
:nova-manage-FORWARD - [0:0]
:nova-manage-INPUT - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-local - [0:0]
:nova-network-FORWARD - [0:0]
:nova-network-INPUT - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-local - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-manage-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j nova-api-INPUT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-manage-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.131.0.244/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-compute-inst-54 -m state --state INVALID -j DROP
-A nova-compute-inst-54 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-provider
-A nova-compute-inst-54 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-54 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-sg-fallback
-A nova-compute-inst-55 -m state --state INVALID -j DROP
-A nova-compute-inst-55 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-provider
-A nova-compute-inst-55 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-55 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-sg-fallback
-A nova-compute-inst-56 -m state --state INVALID -j DROP
-A nova-compute-inst-56 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-provider
-A nova-compute-inst-56 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.0/24 -j ACCEPT
-A nova-compute-inst-56 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-sg-fallback
-A nova-compute-inst-57 -m state --state INVALID -j DROP
-A nova-compute-inst-57 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-provider
-A nova-compute-inst-57 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-57 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-sg-fallback
-A nova-compute-inst-58 -m state --state INVALID -j DROP
-A nova-compute-inst-58 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-provider
-A nova-compute-inst-58 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.0/24 -j ACCEPT
-A nova-compute-inst-58 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-sg-fallback
-A nova-compute-inst-59 -m state --state INVALID -j DROP
-A nova-compute-inst-59 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-provider
-A nova-compute-inst-59 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.0/24 -j ACCEPT
-A nova-compute-inst-59 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-sg-fallback
-A nova-compute-local -d 8.8.8.6/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.3/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.4/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.7/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.8/32 -j nova-compute-inst-56
-A nova-compute-local -d 192.168.201.2/32 -j nova-compute-inst-56
-A nova-compute-local -d 9.9.9.5/32 -j nova-compute-inst-57
-A nova-compute-local -d 8.8.8.9/32 -j nova-compute-inst-57
-A nova-compute-local -d 9.9.9.6/32 -j nova-compute-inst-58
-A nova-compute-local -d 192.168.206.2/32 -j nova-compute-inst-58
-A nova-compute-local -d 9.9.9.7/32 -j nova-compute-inst-59
-A nova-compute-local -d 192.168.207.2/32 -j nova-compute-inst-59
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-manage-local
-A nova-filter-top -j nova-api-local
-A nova-network-FORWARD -i br-int -j ACCEPT
-A nova-network-FORWARD -o br-int -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed May 16 14:51:31 2012

AFTER CREATING NETWORK:
# Generated by iptables-save v1.4.12 on Wed May 16 14:52:01 2012
*mangle
:PREROUTING ACCEPT [252638:222628974]
:INPUT ACCEPT [58858:32725770]
:FORWARD ACCEPT [190065:188684684]
:OUTPUT ACCEPT [54341:31821825]
:POSTROUTING ACCEPT [244411:220508149]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed May 16 14:52:01 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:52:01 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-POSTROUTING - [0:0]
:nova-manage-PREROUTING - [0:0]
:nova-manage-float-snat - [0:0]
:nova-manage-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-manage-PREROUTING
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-manage-POSTROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-manage-snat -j nova-manage-float-snat
-A nova-manage-snat -s 192.168.208.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.131.0.244/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.128.0.0/24 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.131.0.244:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.200.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 8.8.8.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 7.7.7.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 9.9.9.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.201.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.202.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.203.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.204.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.205.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 6.6.6.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 5.5.5.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 18.18.18.0/24 -j SNAT --to-source 10.131.0.244
-A nova-postrouting-bottom -j nova-manage-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Wed May 16 14:52:01 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:52:01 2012
*filter
:INPUT ACCEPT [168:68743]
:FORWARD ACCEPT [1266:71368]
:OUTPUT ACCEPT [158:83083]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-54 - [0:0]
:nova-compute-inst-55 - [0:0]
:nova-compute-inst-56 - [0:0]
:nova-compute-inst-57 - [0:0]
:nova-compute-inst-58 - [0:0]
:nova-compute-inst-59 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
:nova-manage-FORWARD - [0:0]
:nova-manage-INPUT - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-local - [0:0]
:nova-network-FORWARD - [0:0]
:nova-network-INPUT - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-local - [0:0]
-A INPUT -j nova-manage-INPUT
-A INPUT -j nova-compute-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j nova-api-INPUT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-manage-FORWARD
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -j nova-network-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.131.0.244/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-compute-inst-54 -m state --state INVALID -j DROP
-A nova-compute-inst-54 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-provider
-A nova-compute-inst-54 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-54 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-sg-fallback
-A nova-compute-inst-55 -m state --state INVALID -j DROP
-A nova-compute-inst-55 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-provider
-A nova-compute-inst-55 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-55 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-sg-fallback
-A nova-compute-inst-56 -m state --state INVALID -j DROP
-A nova-compute-inst-56 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-provider
-A nova-compute-inst-56 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.0/24 -j ACCEPT
-A nova-compute-inst-56 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-sg-fallback
-A nova-compute-inst-57 -m state --state INVALID -j DROP
-A nova-compute-inst-57 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-provider
-A nova-compute-inst-57 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-57 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-sg-fallback
-A nova-compute-inst-58 -m state --state INVALID -j DROP
-A nova-compute-inst-58 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-provider
-A nova-compute-inst-58 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.0/24 -j ACCEPT
-A nova-compute-inst-58 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-sg-fallback
-A nova-compute-inst-59 -m state --state INVALID -j DROP
-A nova-compute-inst-59 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-provider
-A nova-compute-inst-59 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.0/24 -j ACCEPT
-A nova-compute-inst-59 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-sg-fallback
-A nova-compute-local -d 8.8.8.6/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.3/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.4/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.7/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.8/32 -j nova-compute-inst-56
-A nova-compute-local -d 192.168.201.2/32 -j nova-compute-inst-56
-A nova-compute-local -d 9.9.9.5/32 -j nova-compute-inst-57
-A nova-compute-local -d 8.8.8.9/32 -j nova-compute-inst-57
-A nova-compute-local -d 9.9.9.6/32 -j nova-compute-inst-58
-A nova-compute-local -d 192.168.206.2/32 -j nova-compute-inst-58
-A nova-compute-local -d 9.9.9.7/32 -j nova-compute-inst-59
-A nova-compute-local -d 192.168.207.2/32 -j nova-compute-inst-59
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-manage-local
-A nova-filter-top -j nova-compute-local
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-local
-A nova-network-FORWARD -i br-int -j ACCEPT
-A nova-network-FORWARD -o br-int -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed May 16 14:52:01 2012

AFTER CREATING VM:
# Generated by iptables-save v1.4.12 on Wed May 16 14:54:57 2012
*mangle
:PREROUTING ACCEPT [263188:230724325]
:INPUT ACCEPT [64717:36049324]
:FORWARD ACCEPT [194581:193399081]
:OUTPUT ACCEPT [59942:35114595]
:POSTROUTING ACCEPT [254528:228515316]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed May 16 14:54:57 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:54:57 2012
*nat
:PREROUTING ACCEPT [41:4806]
:INPUT ACCEPT [59:5066]
:OUTPUT ACCEPT [34:2572]
:POSTROUTING ACCEPT [33:2241]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-POSTROUTING - [0:0]
:nova-manage-PREROUTING - [0:0]
:nova-manage-float-snat - [0:0]
:nova-manage-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-manage-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-manage-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-manage-snat -j nova-manage-float-snat
-A nova-manage-snat -s 192.168.208.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.131.0.244/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 10.128.0.0/24 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.131.0.244:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.200.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 8.8.8.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 7.7.7.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 9.9.9.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.201.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.202.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.203.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.204.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 192.168.205.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 6.6.6.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 5.5.5.0/24 -j SNAT --to-source 10.131.0.244
-A nova-network-snat -s 18.18.18.0/24 -j SNAT --to-source 10.131.0.244
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-manage-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Wed May 16 14:54:57 2012
# Generated by iptables-save v1.4.12 on Wed May 16 14:54:57 2012
*filter
:INPUT ACCEPT [951:539981]
:FORWARD ACCEPT [10:807]
:OUTPUT ACCEPT [898:541768]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-54 - [0:0]
:nova-compute-inst-55 - [0:0]
:nova-compute-inst-56 - [0:0]
:nova-compute-inst-57 - [0:0]
:nova-compute-inst-58 - [0:0]
:nova-compute-inst-59 - [0:0]
:nova-compute-inst-60 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
:nova-manage-FORWARD - [0:0]
:nova-manage-INPUT - [0:0]
:nova-manage-OUTPUT - [0:0]
:nova-manage-local - [0:0]
:nova-network-FORWARD - [0:0]
:nova-network-INPUT - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-local - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-manage-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j nova-api-INPUT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-manage-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-manage-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.131.0.244/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-compute-inst-54 -m state --state INVALID -j DROP
-A nova-compute-inst-54 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-provider
-A nova-compute-inst-54 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-54 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-54 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-54 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-54 -j nova-compute-sg-fallback
-A nova-compute-inst-55 -m state --state INVALID -j DROP
-A nova-compute-inst-55 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-provider
-A nova-compute-inst-55 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-55 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-55 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-55 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-55 -j nova-compute-sg-fallback
-A nova-compute-inst-56 -m state --state INVALID -j DROP
-A nova-compute-inst-56 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-provider
-A nova-compute-inst-56 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-56 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-56 -s 192.168.201.0/24 -j ACCEPT
-A nova-compute-inst-56 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-56 -j nova-compute-sg-fallback
-A nova-compute-inst-57 -m state --state INVALID -j DROP
-A nova-compute-inst-57 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-provider
-A nova-compute-inst-57 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-57 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-57 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-57 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-57 -j nova-compute-sg-fallback
-A nova-compute-inst-58 -m state --state INVALID -j DROP
-A nova-compute-inst-58 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-provider
-A nova-compute-inst-58 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-58 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-58 -s 192.168.206.0/24 -j ACCEPT
-A nova-compute-inst-58 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-58 -j nova-compute-sg-fallback
-A nova-compute-inst-59 -m state --state INVALID -j DROP
-A nova-compute-inst-59 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-provider
-A nova-compute-inst-59 -s 9.9.9.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-59 -s 9.9.9.0/24 -j ACCEPT
-A nova-compute-inst-59 -s 192.168.207.0/24 -j ACCEPT
-A nova-compute-inst-59 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-59 -j nova-compute-sg-fallback
-A nova-compute-inst-60 -m state --state INVALID -j DROP
-A nova-compute-inst-60 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-60 -j nova-compute-provider
-A nova-compute-inst-60 -s 8.8.8.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-60 -s 192.168.208.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-60 -s 8.8.8.0/24 -j ACCEPT
-A nova-compute-inst-60 -s 192.168.208.0/24 -j ACCEPT
-A nova-compute-inst-60 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-60 -j nova-compute-sg-fallback
-A nova-compute-local -d 8.8.8.6/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.3/32 -j nova-compute-inst-54
-A nova-compute-local -d 9.9.9.4/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.7/32 -j nova-compute-inst-55
-A nova-compute-local -d 8.8.8.8/32 -j nova-compute-inst-56
-A nova-compute-local -d 192.168.201.2/32 -j nova-compute-inst-56
-A nova-compute-local -d 9.9.9.5/32 -j nova-compute-inst-57
-A nova-compute-local -d 8.8.8.9/32 -j nova-compute-inst-57
-A nova-compute-local -d 9.9.9.6/32 -j nova-compute-inst-58
-A nova-compute-local -d 192.168.206.2/32 -j nova-compute-inst-58
-A nova-compute-local -d 9.9.9.7/32 -j nova-compute-inst-59
-A nova-compute-local -d 192.168.207.2/32 -j nova-compute-inst-59
-A nova-compute-local -d 8.8.8.10/32 -j nova-compute-inst-60
-A nova-compute-local -d 192.168.208.2/32 -j nova-compute-inst-60
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-manage-local
-A nova-filter-top -j nova-api-local
-A nova-network-FORWARD -i br-int -j ACCEPT
-A nova-network-FORWARD -o br-int -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-50c4308f-34 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-5bfd9bfa-d6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-23abd98f-03 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-7c3078e0-e6 -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-ec8a468b-ea -p tcp -m tcp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-3d604d8e-b8 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-3d604d8e-b8 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i gw-3d604d8e-b8 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i gw-3d604d8e-b8 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed May 16 14:54:57 2012

Can you help with this problem?

Provide an answer of your own, or ask Mohammad Banikazemi for more information if necessary.

To post a message you must log in.