Ask Your Question

How to edit the SNAT rules of the L3 agent?

asked 2013-09-26 10:04:28 -0500

asadxflow gravatar image

I just wanted to ask if it is possible to forward all packets that are received at the physical interface (eth0 which is added to br-ex) to the VM? I mean forwarding packets which don't have VM's IP as their destination IP.

I am using a single node openstack+neutron (openvswitch) environment with floating IPs assigned to the VM. The VM is able to receive packets from outside world which have its floating IP as destination IP address.

But I want to forward all traffic on the physical interface to this VM or even some packets that have different destination IP address.

I have tried adding rules into the br-ex bridge but the packets are not forwarded to VM.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-09-26 12:22:49 -0500

asadxflow gravatar image

I have further looked into it and found that the neutron L3 agent which performs the SNAT (from qg-XXXX to qr-XXXX interface), drops the packets which are not in the private network and only forwards those packet (onto qr-XXXXX) which are in the private network.

Is it possible to edit the SNAT rules of the L3 agent so that it forwards packets of specific source/dest IPs to a certain VM?

edit flag offensive delete link more

answered 2013-10-02 16:12:12 -0500

salvatore-orlando gravatar image

I am not sure why you would do something like this, but that is beyond the scope of this question.

The following assumes you are running neutron with namespace support enabled. If you want to alter NAT rules generated by the l3 agent, you need first to identify your router's namespace name. The name is 'qrouter-%s' % router_id

Then in this namespace run iptables -nt nat --list

salvatore@ubuntu:~/devstack$ sudo ip netns exec qrouter-e9ba3b1f-9840-41d3-8aec-81977dee69b1 iptables -nt nat --list

The following chain contains the default SNAT rules.

neutron-vpn-agen-float-snat all --
SNAT all -- to:

Please note however that your changes are likely to be overwritten when neutron server synchronizes the router with the l3 agent, which might happen, for instance, when a new subnet is added to the router. For making persistent changes to satisfy your use case, the l3 agent code should be modified accordingly.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-09-26 10:04:28 -0500

Seen: 397 times

Last updated: Oct 02 '13