# Iptables and Neutron (using LinuxBridge)

I have 2 hosts, CN and GW, and GW has connectivity to the internet. CN is on a private network. I am using iptables (SNAT) to allow CN to access internet.

The iptable SNATing rule in the nat POSTROUTING chain is -o eth0 -j SNAT --to-source <public_IP>

However, the neutron linux agent (using the LinuxBridges driver) creates a randomly-named bridge and adds eth0 to it. I do not loose connectivity to internet in GW, but CN cannot access internet anymore (wrong iptable rule!).

I see several solutions, but I need some guidance...

Solution A: Is there a way to name the bridge associated with the external network? In that way, instead of a random name, I could use that name in my iptables rule.

Solution B: Is there another way to write the rule?

Solution C (inspired from OVS):

1. I create a bridge in advance, say br-ex, and add eth0 to it.
2. I create a veth pair ip link add veth0 type veth peer name tap0
3. I add veth0 to br-ex
4. I configure the neutron linux agent to use tap0 instead of eth0

At step 4, the randomly-named bridge will use tap0 but my iptable rule will mention br-ex. I know how to write the ifcfg files in CentOS7, for step 1 and 3, to make it persistent. Unfortunately, I do not know how to make step 2 persistent. The only thing I can think of is to create a network script (say, ifup-veth) and pass the variables I need... Any better tip?

Any other solution?

edit retag close merge delete