Iptables and Neutron (using LinuxBridge)

asked 2015-11-10 13:19:13 -0500

Daz gravatar image

updated 2015-11-11 01:50:41 -0500

I have 2 hosts, CN and GW, and GW has connectivity to the internet. CN is on a private network. I am using iptables (SNAT) to allow CN to access internet.

The iptable SNATing rule in the nat POSTROUTING chain is -o eth0 -j SNAT --to-source <public_IP>

However, the neutron linux agent (using the LinuxBridges driver) creates a randomly-named bridge and adds eth0 to it. I do not loose connectivity to internet in GW, but CN cannot access internet anymore (wrong iptable rule!).

I see several solutions, but I need some guidance...

Solution A: Is there a way to name the bridge associated with the external network? In that way, instead of a random name, I could use that name in my iptables rule.

Solution B: Is there another way to write the rule?

Solution C (inspired from OVS):

  1. I create a bridge in advance, say br-ex, and add eth0 to it.
  2. I create a veth pair ip link add veth0 type veth peer name tap0
  3. I add veth0 to br-ex
  4. I configure the neutron linux agent to use tap0 instead of eth0

At step 4, the randomly-named bridge will use tap0 but my iptable rule will mention br-ex. I know how to write the ifcfg files in CentOS7, for step 1 and 3, to make it persistent. Unfortunately, I do not know how to make step 2 persistent. The only thing I can think of is to create a network script (say, ifup-veth) and pass the variables I need... Any better tip?

Any other solution?

edit retag flag offensive close merge delete

Comments

Have you found/made any suitale ifup-veth script?

HallFonce gravatar imageHallFonce ( 2017-01-01 12:56:56 -0500 )edit