iptables rules for external access are not correct

Hi AnasASO,

I checked the iptable rules and I don't think that quantum's problem.

Besides, I deployed a openstack with two virtual machine each have two NIC according to your description.
However, the virtual machine can ping machines in networks both 192.168.224.0/24 and 172.16.1.0/24

So, could you provider more info about you deployment and check if you can ping 192.168.224.224 from other host in the same network.

thanks Jiajun Liu for your reply.

------------------------------------------------------------------------------------------------------------------------
My install is as follow :
  - two physical nodes, each with two NICs (one for management network, and the other for Data network (VMs) )
  - OpenStack Folsom
  - OS : CentOS 6.3
  - L2 plugin : Linuxbridge
  - namespaces=False
  - dhcp-agent is running on the controller node (with all openstack services : nova, glance, cinder, quantum-server, ...)
  - l3-agent is runnig on the compute node
  - Floating IPs rang : 192.168.224.224 --> 192.168.224.230 ; cidr=192.168.224.0/24 ; gateway=192.168.224.254
  - Fixed IPs rang : 172.16.1.0/24
------------------------------------------------------------------------------------------------------------------------

I can ping 192.168.224.224, which is the IP address of the Quantum router, from other hosts in the same network.

I'm a little confused with your deployment's description. You said that you used VMs to set up a scenario like mine. Then you said that you can ping 192.168.224.0/24 and 172.16.1.0/24 from the virtual machine. So, in last part, which VM are you talking about? The one that you used for the deployment or some VM created using OpenStack?

My problem is that the outgoing packets(from a VM) are not SNATed. And when I delete this rule :
"ACCEPT all -- !qg-3d0ac89c-d8 !qg-3d0ac89c-d8 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT"
everything works fine !!! Truly I don't know the reason for having such rule in the nat table.

Please if you need more specific information, you can ask for it. I'm really blocked because of that problem.

Hi AnasASO,

At first, I mean some VM created using OpenStack can ping both 192.168.224.0/24 and 172.16.1.0/24 in my environment.

Secondly, I need more info about your environment. Could you please paste the output of the following commands running on compute node.

# ip netns list
# brctl show
# iptables-save

thanks

Hi Jiajun Liu. I've mentioned before that I'm not using namespaces. So, the output of the first command you asked is : (Object "netns" is unknown, try "ip help".)

brctl show >>
------------------------------------------------------------
brq299a4018-98 8000.000a5e54308b no eth0.1001
       tapfe0784c8-1a
brq4db71c48-f0 8000.000a5e54308b no eth0.1000
       tap01bb04cd-0e
------------------------------------------------------------

iptables-save >>
------------------------------------------------------------
# Generated by iptables-save v1.4.7 on Mon Apr 29 15:38:48 2013
*mangle
:PREROUTING ACCEPT [9566200:5431800833]
:INPUT ACCEPT [7417313:4630575119]
:FORWARD ACCEPT [2136468:799817919]
:OUTPUT ACCEPT [6080259:1881183110]
:POSTROUTING ACCEPT [8244248:2681466731]
:nova-compute-POSTROUTING - [0:0]
-A POSTROUTING -j nova-compute-POSTROUTING
COMMIT
# Completed on Mon Apr 29 15:38:48 2013
# Generated by iptables-save v1.4.7 on Mon Apr 29 15:38:48 2013
*nat
:PREROUTING ACCEPT [782013:49473807]
:POSTROUTING ACCEPT [3:672]
:OUTPUT ACCEPT [102890:6195331]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-POSTROUTING - [0:0]
:quantum-l3-agent-PREROUTING - [0:0]
:quantum-l3-agent-float-snat - [0:0]
:quantum-l3-agent-snat - [0:0]
:quantum-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j quantum-l3-agent-PREROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j quantum-l3-agent-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -j quantum-postrouting-bottom
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j quantum-l3-agent-OUTPUT
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A quantum-l3-agent-POSTROUTING ! -i qg-fe0784c8-1a ! -o qg-fe0784c8-1a -m conntrack ! --ctstate DNAT -j ACCEPT
-A quantum-l3-agent-snat -j quantum-l3-agent-float-snat
-A quantum-l3-agent-snat -s 172.16.1.0/24 -j SNAT --to-source 192.168.224.224
-A quantum-postrouting-bottom -j quantum-l3-agent-snat
COMMIT
# Completed on Mon Apr 29 15:38:48 2013
# Generated by iptables-save v1.4.7 on Mon Apr 29 15:38:48 2013
*filter
:INPUT ACCEPT [8415:661901]
:FORWARD ACCEPT [8217:1112513]
:OUTPUT ACCEPT [26499:8855083]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
:quantum-filter-top - [0:0]
:quantum-l3-agent-FORWARD - [0:0]
:quantum-l3-agent-INPUT - [0:0]
:quantum-l3-agent-OUTPUT - [0:0]
:quantum-l3-agent-local - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -j quantum-l3-agent-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6080 -j ACCEPT
-A FORWARD -j nova-filter-top ...

Hi, I managed to get this "problem" solved by eliminating the lines that are responsible for this entry :
-A quantum-l3-agent-POSTROUTING ! -i qg-fe0784c8-1a ! -o qg-fe0784c8-1a -m conntrack ! --ctstate DNAT -j ACCEPT
but here I'm changing the normal behaviour of Quantum. Applying this change will fore every packet originated from a VM to be SNATed even if its destination is an other VM attached to same router .

the attached file is the one responsible for creating this entry in the nat table : /usr/lib/python2.6/site-packages/quantum/agent/l3_agent.py
the modifications I made are in the following lines 401 and 418

Hi AnasASO,

Sorry, I need more info. Could you please paste the output of the following commands running on compute node.

# ip link list
# ip addr list

Hi,
well I guess I know what is the problem.
According to this link : http://d.hatena.ne.jp/enakai00/20121118/1353226066
the entries of /etc/sysctl.conf in the network node MUST be different from those of the compute node. It seems that a filtering on the layer 2 (OSI model) is done to decide whether the packets should be SNATed or not.
But in my case, as I said above, the l3-agent is running on the compute node. Which means I can't do the mentioned recommendation(about the sysctl.conf file).
Please Jiajun Liu, can you confirm this "theory" or correct me if I am wrong .

I met the same problem as AnasASO, but the difference with him is my network node stands alone. I used the same method to solve the problem temporarily. But as we know that we changed normal behaviour of Quantum. Please help!

Your feedback is appreciated.

Looks like this is specific to CentOS6.4.