What is the purpose of dmz_cidr?

asked 2012-01-25 18:19:24 -0500

david-kranz gravatar image

Looking at the source, all it does is add an iptable rule like

-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 172.18.0.131/32 -j ACCEPT

I am not fluent in iptable and could not find anything about this with a web search. Is there an easy explanation of when and why you would want to set this flag?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2012-01-25 18:27:18 -0500

vishvananda gravatar image

Outgoing traffic from the vms is SNATTED to the ip of the network host (old mode) or the compute host (HA Networking --multi_host mode). This is to allow for them to communicate with the rest of the internet. It may be that there are some services that the hosts need to communicate with that are on an internal network where you want the source ip to remain the private ip of the host. The accept rule stops the normal SNAT. The most common use case is to allow the metadata api to use the private ip to look up data for the instance, so generally you can just set it to the /32 of your metadata server if you have just one. It is a cidr in case there are multiple services that you want to keep using the internal private ips.

On Jan 25, 2012, at 10:20 AM, David Kranz wrote:

New question #185826 on OpenStack Compute (nova): https://answers.launchpad.net/nova/+q...

Looking at the source, all it does is add an iptable rule like

-A nova-network-POSTROUTING -s 10.0.0.0/24 -d 172.18.0.131/32 -j ACCEPT

I am not fluent in iptable and could not find anything about this with a web search. Is there an easy explanation of when and why you would want to set this flag?


You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-01-25 18:19:24 -0500

Seen: 63 times

Last updated: Jan 25 '12