Ask Your Question
0

ip netns - iptables

asked 2017-02-22 09:05:25 -0500

2707974 gravatar image

We have 3 network node's. On two of them I have one working tenant router and at second network node I have backup router.

When I ssh to NN1 and access to tenant router with command

sudo ip netns exec qrouter-ff34f529-ebd8-463d-9eef-351302f4751a bash

I can list NAT rules and see chains. Example:

Chain neutron-vpn-agen-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  172.20.0.140         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.13          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.214         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.15          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.101         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.14          anywhere             to:185.56.xxx.xxx

or

 Chain neutron-vpn-agen-OUTPUT (1 references)
 target     prot opt source               destination
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.140
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.13
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.214
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.15
 DNAT       all  --  anywhere             185.56.xxx.xxx       to:172.20.0.101
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.14

Also I have identical iptables rules on backup router.

Question is, where are this rules stored? If answer is in database next question is in which base, table?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-02-22 18:02:31 -0500

Bernd Bausch gravatar image

The rules themselves are not stored in the database. What is stored is router information, which the L3 agent (or VPN agent) code uses to create netfilter rules. For example, this code in neutron/agent/l3/router_info.py:

def _add_snat_rules(self, ex_gw_port, iptables_manager,
                    interface_name):
    self.process_external_port_address_scope_routing(iptables_manager)

    if ex_gw_port:
        # ex_gw_port should not be None in this case
        # NAT rules are added only if ex_gw_port has an IPv4 address
        for ip_addr in ex_gw_port['fixed_ips']:
            ex_gw_ip = ip_addr['ip_address']
            if netaddr.IPAddress(ex_gw_ip).version == 4:
                if self._snat_enabled:
                    rules = self.external_gateway_nat_snat_rules(
                        ex_gw_ip, interface_name)
                    for rule in rules:
                        iptables_manager.ipv4['nat'].add_rule(*rule)

                rules = self.external_gateway_nat_fip_rules(
                    ex_gw_ip, interface_name)
                for rule in rules:
                    iptables_manager.ipv4['nat'].add_rule(*rule)
                rules = self.external_gateway_mangle_rules(interface_name)
                for rule in rules:
                    iptables_manager.ipv4['mangle'].add_rule(*rule)

                break

If you want to see the Neutron database:

$ mysql -uroot -pXXXXXXXX
Welcome to the MariaDB monitor.  Commands end with ; or \g.
(...)
MariaDB [(none)]> use neutron
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [neutron]> show tables;
+-----------------------------------------+
| Tables_in_neutron                       |
+-----------------------------------------+
| address_scopes                          |
| agents                                  |
(...)
| router_extra_attributes                 |
| routerl3agentbindings                   |
| routerports                             |
| routerroutes                            |
| routerrules                             |
| routers                                 |
| securitygroupportbindings               |
| securitygrouprules                      |
| securitygroups                          |
(...)
+-----------------------------------------+
162 rows in set (0.00 sec)
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-02-22 09:05:25 -0500

Seen: 1,200 times

Last updated: Feb 22 '17

Related questions

SNAT DVR not working, missing iptables rules?

Lbaas in Kilo error

Neutron br-int LINK-DOWN on compute node

Openstack juno network node-external network interface

What is the use of the Dead VLAN tag 4095 on quantum openvswitch plugin?

quantum-2012.1~e2 ImportError: No module named server

Error in the association floating ip with 2 networks.

how to quota for specific subnet!

tenant and external network vlan mapping

Cannot get ip from DHCP server