Iptables and nova-network's nova-network-snat are not working correctly

asked 2014-10-15 07:04:20 -0500

fengyc gravatar image

Hi, all.

There are win7 and linux vms in a same compute node. All linux vms could access external network, but all win7 vm couldn't !

The network configuration:
nova-network multi-host
Internal network interface: em3 promisc
flat bridge: br100
flat interface: em3
vm ip range: 20.0.0.0/22
public network interface: em1 ( 172.18.215.8 , this is the routing_source_ip )

I trace the iptables output. It looks like the nova-network-snat failed, otherwise the output of kern.log shoud be end with nat:nova-network-snat. And, I noticed that IN= OUT=em1 PHYSIN=vnet0 ( linux ) and IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 ( win7 ) were different. But I don't understand why this happend, how could I fix it.

Thanks.

Commands:

modprobe ip_LOG  
iptables -t raw -A PREROUTING -s 20.0.0.5 -p icmp -j TRACE
iptables -t raw -A PREROUTING -s 20.0.0.2 -p icmp -j TRACE

20.0.0.5 is a win7 vm, 20.0.0.2 is a linux vm. Both of them have no floating ip. Then ping an external ip address. In the /var/log/kern.log, found something:

( linux vm )

nat:nova-network-snat:rule:2 IN= OUT=em1 PHYSIN=vnet0 SRC=20.0.0.2 DST=222.200.160.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=5935 DF PROTO=ICMP TYPE=8 CODE=0 ID=41729 SEQ=0
( end of log )

( win7 vm )

nat:nova-network-snat:return:3 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:nova-postrouting-bottom:rule:3 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
nat:nova-api-metadat-snat:rule:1 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:nova-api-metadat-float-snat:return:1 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:nova-api-metadat-snat:return:2 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:nova-postrouting-bottom:return:4 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:POSTROUTING:policy:5 IN= OUT=br100 PHYSIN=vnet1 PHYSOUT=em3 SRC=20.0.0.5 DST=222.200 ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-10-15 09:29:04 -0500

fengyc gravatar image

Still don't know why the icmp packages from win7 vm could not be redirect to em1. I Check the log, and found the package redirect to em 3, after mangle:FORWARD.

 raw:PREROUTING:policy:3 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
mangle:PREROUTING:policy:1 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
 nat:PREROUTING:rule:1 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
 nat:nova-compute-PREROUTING:return:1 IN=br100 OUT= PHYSIN=vnet1  SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
 nat:PREROUTING:rule:2 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10  
 nat:nova-network-PREROUTING:return:2 IN=br100 OUT= PHYSIN=vnet1  SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
nat:PREROUTING:rule:3 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
 nat:nova-api-metadat-PREROUTING:return:1 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
 nat:PREROUTING:policy:4 IN=br100 OUT= PHYSIN=vnet1 SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
 mangle:FORWARD:policy:1 IN=br100 OUT=br100 PHYSIN=vnet1 PHYSOUT=em3  SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
 filter:FORWARD:rule:1 IN=br100 OUT=br100 PHYSIN=vnet1 PHYSOUT=em3  SRC=20.0.0.5 DST=222.200.160.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=312 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=10
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-10-15 06:22:41 -0500

Seen: 189 times

Last updated: Oct 15 '14