Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Outgoing traffic from the vms is SNATTED to the ip of the network host (old mode) or the compute host (HA Networking --multi_host mode). This is to allow for them to communicate with the rest of the internet. It may be that there are some services that the hosts need to communicate with that are on an internal network where you want the source ip to remain the private ip of the host. The accept rule stops the normal SNAT. The most common use case is to allow the metadata api to use the private ip to look up data for the instance, so generally you can just set it to the /32 of your metadata server if you have just one. It is a cidr in case there are multiple services that you want to keep using the internal private ips.

On Jan 25, 2012, at 10:20 AM, David Kranz wrote:

New question #185826 on OpenStack Compute (nova):

Looking at the source, all it does is add an iptable rule like

-A nova-network-POSTROUTING -s -d -j ACCEPT

I am not fluent in iptable and could not find anything about this with a web search. Is there an easy explanation of when and why you would want to set this flag?

-- You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).