Ask Your Question
0

ip netns - iptables

asked 2017-02-22 09:05:25 -0600

2707974 gravatar image

We have 3 network node's. On two of them I have one working tenant router and at second network node I have backup router.

When I ssh to NN1 and access to tenant router with command

sudo ip netns exec qrouter-ff34f529-ebd8-463d-9eef-351302f4751a bash

I can list NAT rules and see chains. Example:

Chain neutron-vpn-agen-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  172.20.0.140         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.13          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.214         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.15          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.101         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.14          anywhere             to:185.56.xxx.xxx

or

 Chain neutron-vpn-agen-OUTPUT (1 references)
 target     prot opt source               destination
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.140
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.13
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.214
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.15
 DNAT       all  --  anywhere             185.56.xxx.xxx       to:172.20.0.101
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.14

Also I have identical iptables rules on backup router.

Question is, where are this rules stored? If answer is in database next question is in which base, table?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-02-22 18:02:31 -0600

Bernd Bausch gravatar image

The rules themselves are not stored in the database. What is stored is router information, which the L3 agent (or VPN agent) code uses to create netfilter rules. For example, this code in neutron/agent/l3/router_info.py:

def _add_snat_rules(self, ex_gw_port, iptables_manager,
                    interface_name):
    self.process_external_port_address_scope_routing(iptables_manager)

    if ex_gw_port:
        # ex_gw_port should not be None in this case
        # NAT rules are added only if ex_gw_port has an IPv4 address
        for ip_addr in ex_gw_port['fixed_ips']:
            ex_gw_ip = ip_addr['ip_address']
            if netaddr.IPAddress(ex_gw_ip).version == 4:
                if self._snat_enabled:
                    rules = self.external_gateway_nat_snat_rules(
                        ex_gw_ip, interface_name)
                    for rule in rules:
                        iptables_manager.ipv4['nat'].add_rule(*rule)

                rules = self.external_gateway_nat_fip_rules(
                    ex_gw_ip, interface_name)
                for rule in rules:
                    iptables_manager.ipv4['nat'].add_rule(*rule)
                rules = self.external_gateway_mangle_rules(interface_name)
                for rule in rules:
                    iptables_manager.ipv4['mangle'].add_rule(*rule)

                break

If you want to see the Neutron database:

$ mysql -uroot -pXXXXXXXX
Welcome to the MariaDB monitor.  Commands end with ; or \g.
(...)
MariaDB [(none)]> use neutron
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [neutron]> show tables;
+-----------------------------------------+
| Tables_in_neutron                       |
+-----------------------------------------+
| address_scopes                          |
| agents                                  |
(...)
| router_extra_attributes                 |
| routerl3agentbindings                   |
| routerports                             |
| routerroutes                            |
| routerrules                             |
| routers                                 |
| securitygroupportbindings               |
| securitygrouprules                      |
| securitygroups                          |
(...)
+-----------------------------------------+
162 rows in set (0.00 sec)
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-02-22 09:05:25 -0600

Seen: 1,136 times

Last updated: Feb 22 '17

Related questions

SNAT DVR not working, missing iptables rules?

Neutron IPTables dropping TCP ACK packets bettween instances on same host.

SNAT on router without gateway ?

Neutron: br-tun not working on compute node

l2 neutron port

Controller node vs Computer Node

NO_NAT on OpenStack vRouter

can't create a firewall for a tenant

Changing motherboard of Openstack host

Why is Liberty Neutron DVR so slow?