Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-67268f81-86"  // I can ping this form instance
                    Interface "qg-67268f81-86"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-67268f81-86: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.211/24 brd 172.31.9.255 scope global qg-67268f81-86   //qg_IP
    inet 172.31.9.212/32 brd 172.31.9.212 scope global qg-67268f81-86  //VM1_IP
    inet6 fe80::f816:3eff:fe66:4fd4/64 scope link
       valid_lft forever preferred_lft forever
12: qr-60212213-3a: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global qr-60212213-3a
    inet6 fe80::f816:3eff:fed1:c741/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-67268f81-86" "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-67268f81-86"
"qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-67268f81-86: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.211/24 172.31.9.210/24 brd 172.31.9.255 scope global qg-67268f81-86 qg-03969b97-49   //qg_IP
    inet 172.31.9.212/32 iinet 172.31.9.211/32 brd 172.31.9.212 172.31.9.211 scope global qg-67268f81-86 qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe66:4fd4/64 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12: qr-60212213-3a:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global qr-60212213-3a
 qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fed1:c741/64 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

root@network:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //qvo1fe8f3f1-15
-N neutron-openvswi-i7f0044bf-4     // tap
-N neutron-openvswi-i941a160e-5    //qvo941a160e-5b
-N neutron-openvswi-if0dded78-0    //tap
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4 -m state --state INVALID -j DROP
-A neutron-openvswi-i7f0044bf-4 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i7f0044bf-4 -p icmp -j RETURN
-A neutron-openvswi-i7f0044bf-4 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-i941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-i941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if0dded78-0 -m state --state INVALID -j DROP
-A neutron-openvswi-if0dded78-0 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if0dded78-0 -p icmp -j RETURN
-A neutron-openvswi-if0dded78-0 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-if0dded78-0 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if0dded78-0 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if0dded78-0 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j neutron-openvswi-s7f0044bf-4
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o7f0044bf-4 -m state --state INVALID -j DROP
-A neutron-openvswi-o7f0044bf-4 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p icmp -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-s941a160e-5
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-o941a160e-5 -j RETURN
-A neutron-openvswi-o941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of0dded78-0 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of0dded78-0 -j neutron-openvswi-sf0dded78-0
-A neutron-openvswi-of0dded78-0 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of0dded78-0 -m state --state INVALID -j DROP
-A neutron-openvswi-of0dded78-0 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of0dded78-0 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-of0dded78-0 -p icmp -j RETURN
-A neutron-openvswi-of0dded78-0 -j RETURN
-A neutron-openvswi-of0dded78-0 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-of0dded78-0 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

root@network:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //qvo1fe8f3f1-15
-N neutron-openvswi-i7f0044bf-4     // tap
-N neutron-openvswi-i941a160e-5    //qvo941a160e-5b
-N neutron-openvswi-if0dded78-0    //tap
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4 -m state --state INVALID -j DROP
-A neutron-openvswi-i7f0044bf-4 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i7f0044bf-4 -p icmp -j RETURN
-A neutron-openvswi-i7f0044bf-4  ****************************
-A neutron-openvswi-i941a160e-5       same as  ↑↑↑↑
-A neutron-openvswi-if0dded78-0 ****************************
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 53 67 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -s 10.30.30.3/32 neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i7f0044bf-4 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i941a160e-5 DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i941a160e-5 neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i941a160e-5 neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i941a160e-5 neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i941a160e-5 neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if0dded78-0 -m state --state INVALID -j DROP
-A neutron-openvswi-if0dded78-0 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-if0dded78-0 -p icmp -j RETURN
-A neutron-openvswi-if0dded78-0 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-if0dded78-0 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if0dded78-0 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-if0dded78-0 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j neutron-openvswi-s7f0044bf-4
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o7f0044bf-4 -m state --state INVALID -j DROP
-A neutron-openvswi-o7f0044bf-4 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p icmp -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o7f0044bf-4 -j neutron-openvswi-sg-fallback
 ****************************
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-s941a160e-5
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-o941a160e-5 -j RETURN
-A neutron-openvswi-o941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-sg-fallback
 same as  ↑↑↑↑
-A neutron-openvswi-of0dded78-0 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-of0dded78-0 -j neutron-openvswi-sf0dded78-0
-A neutron-openvswi-of0dded78-0 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-of0dded78-0 -m state --state INVALID -j DROP
-A neutron-openvswi-of0dded78-0 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-of0dded78-0 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-of0dded78-0 -p icmp -j RETURN
-A neutron-openvswi-of0dded78-0 -j RETURN
-A neutron-openvswi-of0dded78-0 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-of0dded78-0 -j neutron-openvswi-sg-fallback
****************************
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

root@network:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //qvo1fe8f3f1-15
//VM1 namespace
-N neutron-openvswi-i7f0044bf-4     // tap
-N neutron-openvswi-i941a160e-5    //qvo941a160e-5b
//VM2 namespace
-N neutron-openvswi-if0dded78-0    //tap
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4  ****************************
-A neutron-openvswi-i941a160e-5       same as  ↑↑↑↑
-A neutron-openvswi-if0dded78-0 ****************************
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4  ****************************
-A neutron-openvswi-o941a160e-5  same as  ↑↑↑↑
-A neutron-openvswi-of0dded78-0 ****************************
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

root@network:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //VM1 namespace
related
-N neutron-openvswi-i7f0044bf-4     // tap
-N neutron-openvswi-i941a160e-5    //VM2 namespace
related
-N neutron-openvswi-if0dded78-0    //tap
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4  ****************************
-A neutron-openvswi-i941a160e-5       same as  ↑↑↑↑
-A neutron-openvswi-if0dded78-0 ****************************
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4  ****************************
-A neutron-openvswi-o941a160e-5  same as  ↑↑↑↑
-A neutron-openvswi-of0dded78-0 ****************************
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

ping form VM_1 (10.30.30.2/172.31.9.211) to physic gateway(172.31.9.1)

raw:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:PREROUTING:policy:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:rule:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-PREROUTING:return:3 IN=qr-ef4f5ddd-81 OUT= MAC=fa:16:3e:58:ff:3a:fa:16:3e:98:a6:bf:08:00 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:FORWARD:policy:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**0 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-filter-top:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-l3-agent-local:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-filter-top:return:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-l3-agent-FORWARD:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2  
TRACE: filter:FORWARD:policy:3 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**SRC=10.30.30.2 DST=172.31.9.1  
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:POSTROUTING:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-POSTROUTING:return:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:POSTROUTING:rule:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 LEN=84 TOS=0x00 
TRACE: nat:neutron-postrouting-bottom:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-float-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
//////////////////////////////////
//it seems should have  (in=qg-***, out=br-ex....) and (in=br-ex, out=eth0 ....)
////////////////////////////////
TRACE: raw:OUTPUT:policy:2 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-l3-agent-local:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:return:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:OUTPUT:rule:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:neutron-l3-agent-OUTPUT:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:OUTPUT:policy:3 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 LEN=112 TOS=0x00 
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qr-ef4f5ddd-81 SRC=172.31.9.211 DST=10.30.30.2

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

root@network:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-local
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-A INPUT -j neutron-openvswi-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //VM1 related
-N neutron-openvswi-i7f0044bf-4     // tap
-N neutron-openvswi-i941a160e-5    //VM2 related
-N neutron-openvswi-if0dded78-0    //tap
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4  ****************************
-A neutron-openvswi-i941a160e-5       same as  ↑↑↑↑
-A neutron-openvswi-if0dded78-0 ****************************
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4  ****************************
-A neutron-openvswi-o941a160e-5  same as  ↑↑↑↑
-A neutron-openvswi-of0dded78-0 ****************************
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

ping form VM_1 (10.30.30.2/172.31.9.211) to physic gateway(172.31.9.1)

raw:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:PREROUTING:policy:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:rule:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-PREROUTING:return:3 IN=qr-ef4f5ddd-81 OUT= MAC=fa:16:3e:58:ff:3a:fa:16:3e:98:a6:bf:08:00 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:FORWARD:policy:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**0 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-filter-top:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-l3-agent-local:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-filter-top:return:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-l3-agent-FORWARD:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2  
TRACE: filter:FORWARD:policy:3 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**SRC=10.30.30.2 DST=172.31.9.1  
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:POSTROUTING:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-POSTROUTING:return:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:POSTROUTING:rule:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 LEN=84 TOS=0x00 
TRACE: nat:neutron-postrouting-bottom:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-float-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
//////////////////////////////////
//it seems should have  (in=qg-***, out=br-ex....) and (in=br-ex, out=eth0 ....)
////////////////////////////////
TRACE: raw:OUTPUT:policy:2 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-l3-agent-local:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:return:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:OUTPUT:rule:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:neutron-l3-agent-OUTPUT:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:OUTPUT:policy:3 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 LEN=112 TOS=0x00 
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qr-ef4f5ddd-81 SRC=172.31.9.211 DST=10.30.30.2

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

 root@network:~# iptables -t filter -S
 -P INPUT ACCEPT
 -P FORWARD ACCEPT
 -P OUTPUT ACCEPT
 -N neutron-filter-top
 -N neutron-openvswi-FORWARD
 -N neutron-openvswi-INPUT
 -N neutron-openvswi-OUTPUT
 -N neutron-openvswi-local
 -N neutron-openvswi-sg-chain
 -N neutron-openvswi-sg-fallback
 -A INPUT -j neutron-openvswi-INPUT
 -A FORWARD -j neutron-filter-top
 -A FORWARD -j neutron-openvswi-FORWARD
 -A OUTPUT -j neutron-filter-top
 -A OUTPUT -j neutron-openvswi-OUTPUT
 -A neutron-filter-top -j neutron-openvswi-local
 -A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1      //VM1 related
-N neutron-openvswi-i7f0044bf-4     // tap
//VM
-N neutron-openvswi-i941a160e-5    //VM2 related
-N neutron-openvswi-if0dded78-0    //tap
//VM
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o7f0044bf-4
-N neutron-openvswi-o941a160e-5  
-N neutron-openvswi-of0dded78-0
neutron-openvswi-o941a160e-5
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s7f0044bf-4
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sf0dded78-0
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED RELATED,ESTABLIS                                                                                                                               HED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged --physdev-is                                                                                                                               -bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged --physdev-is-                                                                                                                               bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged --physdev-is                                                                                                                               -bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged --physdev-is-                                                                                                                               bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged --physdev-is-br                                                                                                                               idged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged --physdev-is-br                                                                                                                               idged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-INPUT -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-INPUT -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dpor                                                                                                                               t 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-i941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-i941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dpor                                                                                                                               t 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 neutron-openvswi-i941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i7f0044bf-4  ****************************
-A neutron-openvswi-i941a160e-5       same as  ↑↑↑↑
-A neutron-openvswi-if0dded78-0 ****************************
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o7f0044bf-4  ****************************
-A neutron-openvswi-o941a160e-5  same as  ↑↑↑↑
-A neutron-openvswi-of0dded78-0 ****************************
-p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-s941a160e-5
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-o941a160e-5 -j RETURN
-A neutron-openvswi-o941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98:A6:BF FA:16:3E:98                                                                                                                               :A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s7f0044bf-4 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:00:5B:82 -j RETURN
-A neutron-openvswi-s7f0044bf-4 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73:8C:9C FA:16:3E:73                                                                                                                               :8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sf0dded78-0 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:18:8E:7E -j RETURN
-A neutron-openvswi-sf0dded78-0 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-is-bridged --physdev-i                                                                                                                               s-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is-bridged --physdev-is                                                                                                                               -bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is-bridged --physdev-i                                                                                                                               s-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-bridged --physdev-is                                                                                                                               -bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-if0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf0dded78-04 --physdev-is-bridged -j neutron-openvswi-of0dded78-0
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-i7f0044bf-4
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap7f0044bf-43 --physdev-is-bridged -j neutron-openvswi-o7f0044bf-4
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local

cannot SOS!!cannot ping br-ex in networknode with havana

I have 3 nodes with neutron gre tunnelling, and I can assigned private and floating ip to instances. the only question is, the instance cannot get to internet.

1) I can ping the qg-xxxxx form instance, but failed form networknode, even in namespace qrouter-xxxxx.

2) I can ping the br-ex from networknode, but failed form instance.

both said ' Destination Host Unreachable '.

here is detail:

    root@network:~# ovs-vsctl show
        46755b2e-62fe-4f7c-b8ad-9f6c0cbd76a0
            Bridge br-ex        //IP:172.31.9.203
                Port "qg-03969b97-49"  // I can ping this form instance
                    Interface "qg-03969b97-49"
                        type: internal
                Port br-ex        // I cannot ping br-ex from instance 
                    Interface br-ex
                        type: internal
                Port "eth0"     // eth0 is in PROMISC MODE
                    Interface "eth0"
            Bridge br-tun
                ****
                ****
            Bridge br-int
                ****
                ****
 ovs_version: "1.10.2"


root@network:~# ip netns exec qrouter-xxxxx ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: qg-03969b97-49: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:66:4f:d4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.9.210/24 brd 172.31.9.255 scope global qg-03969b97-49   //qg_IP
    iinet 172.31.9.211/32 brd 172.31.9.211 scope global qg-03969b97-49  //VM1_IP
    inet6 fe80::f816:3eff:fe3e:dd55/64 scope link
       valid_lft forever preferred_lft forever
12:  qr-ef4f5ddd-81: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:c7:41 brd ff:ff:ff:ff:ff:ff
    inet 10.30.30.1/24 brd 10.30.30.255 scope global  qr-ef4f5ddd-81
    inet6 fe80::f816:3eff:fe58:ff3a/64 scope link
       valid_lft forever preferred_lft forever

the physic gateway_IP: 172.31.9.1, and I set it as my ext_net gateway

I think this may relate to namespace or br-ex(bridge and qg-xxx is not connect or something), anyone knows how to solve this problem ?

Thanks

****UPDATE******

ping form VM_1 (10.30.30.2/172.31.9.211) to physic gateway(172.31.9.1)

raw:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:PREROUTING:policy:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:rule:1 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-PREROUTING:return:3 IN=qr-ef4f5ddd-81 OUT= MAC=fa:16:3e:58:ff:3a:fa:16:3e:98:a6:bf:08:00 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:PREROUTING:policy:2 IN=qr-ef4f5ddd-81 OUT= MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: mangle:FORWARD:policy:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**0 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-filter-top:rule:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-l3-agent-local:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:neutron-filter-top:return:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1  
TRACE: filter:FORWARD:rule:2 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2 DST=172.31.9.1 
TRACE: filter:neutron-l3-agent-FORWARD:return:1 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=** SRC=10.30.30.2  
TRACE: filter:FORWARD:policy:3 IN=qr-ef4f5ddd-81 OUT=qg-03969b97-49 MAC=**SRC=10.30.30.2 DST=172.31.9.1  
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:POSTROUTING:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-POSTROUTING:return:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 
TRACE: nat:POSTROUTING:rule:2 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1 LEN=84 TOS=0x00 
TRACE: nat:neutron-postrouting-bottom:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
TRACE: nat:neutron-l3-agent-float-snat:rule:1 IN= OUT=qg-03969b97-49 SRC=10.30.30.2 DST=172.31.9.1  
//////////////////////////////////
//it seems should have  (in=qg-***, out=br-ex....) and (in=br-ex, out=eth0 ....)
////////////////////////////////
TRACE: raw:OUTPUT:policy:2 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=172.31.9.211 DST=172.31.9.211  
TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:rule:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-l3-agent-local:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:neutron-filter-top:return:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:OUTPUT:rule:2 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 
TRACE: filter:neutron-l3-agent-OUTPUT:return:1 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2  
TRACE: filter:OUTPUT:policy:3 IN= OUT=lo SRC=172.31.9.211 DST=10.30.30.2 LEN=112 TOS=0x00 
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=qr-ef4f5ddd-81 SRC=172.31.9.211 DST=10.30.30.2

****UPDATE******

on controller node

root@controller:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.0.0.201/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

on network node

    root@network:~# iptables -t filter -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N neutron-filter-top
    -N neutron-openvswi-FORWARD
    -N neutron-openvswi-INPUT
    -N neutron-openvswi-OUTPUT
    -N neutron-openvswi-local
    -N neutron-openvswi-sg-chain
    -N neutron-openvswi-sg-fallback
    -A INPUT -j neutron-openvswi-INPUT
    -A FORWARD -j neutron-filter-top
    -A FORWARD -j neutron-openvswi-FORWARD
    -A OUTPUT -j neutron-filter-top
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A neutron-filter-top -j neutron-openvswi-local
    -A neutron-openvswi-sg-fallback -j DROP

on compute node

root@compute:~# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-openvswi-FORWARD
-N neutron-openvswi-INPUT
-N neutron-openvswi-OUTPUT
-N neutron-openvswi-i1fe8f3f1-1    //VM
-N neutron-openvswi-i941a160e-5   //VM
-N neutron-openvswi-local
-N neutron-openvswi-o1fe8f3f1-1
-N neutron-openvswi-o941a160e-5
-N neutron-openvswi-s1fe8f3f1-1
-N neutron-openvswi-s941a160e-5
-N neutron-openvswi-sg-chain
-N neutron-openvswi-sg-fallback
-N nova-api-metadat-FORWARD
-N nova-api-metadat-INPUT
-N nova-api-metadat-OUTPUT
-N nova-api-metadat-local
-N nova-filter-top
-N nova-network-FORWARD
-N nova-network-INPUT
-N nova-network-OUTPUT
-N nova-network-local
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-metadat-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-metadat-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLIS                                                                                                                               HED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-metadat-OUTPUT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap941a160e-5b --physdev-is                                                                                                                               -bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap941a160e-5b --physdev-is-                                                                                                                               bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe8f3f1-15 --physdev-is                                                                                                                               -bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-                                                                                                                               bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap941a160e-5b --physdev-is-br                                                                                                                               idged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is-br                                                                                                                               idged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-i1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.4/32 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dpor                                                                                                                               t 68 -j RETURN
-A neutron-openvswi-i1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-i941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-i941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.2/32 -j RETURN
-A neutron-openvswi-i941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i941a160e-5 -s 10.30.30.3/32 -p udp -m udp --sport 67 --dpor                                                                                                                               t 68 -j RETURN
-A neutron-openvswi-i941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-s1fe8f3f1-1
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o1fe8f3f1-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p icmp -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o1fe8f3f1-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-s941a160e-5
-A neutron-openvswi-o941a160e-5 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state INVALID -j DROP
-A neutron-openvswi-o941a160e-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o941a160e-5 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-o941a160e-5 -p icmp -j RETURN
-A neutron-openvswi-o941a160e-5 -j RETURN
-A neutron-openvswi-o941a160e-5 -p udp -m udp --dport 53 -j RETURN
-A neutron-openvswi-o941a160e-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe8f3f1-1 -s 10.30.30.2/32 -m mac --mac-source FA:16:3E:98                                                                                                                               :A6:BF -j RETURN
-A neutron-openvswi-s1fe8f3f1-1 -j DROP
-A neutron-openvswi-s941a160e-5 -s 10.30.30.4/32 -m mac --mac-source FA:16:3E:73                                                                                                                               :8C:9C -j RETURN
-A neutron-openvswi-s941a160e-5 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap941a160e-5b --physdev-i                                                                                                                               s-bridged -j neutron-openvswi-i941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap941a160e-5b --physdev-is                                                                                                                               -bridged -j neutron-openvswi-o941a160e-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe8f3f1-15 --physdev-i                                                                                                                               s-bridged -j neutron-openvswi-i1fe8f3f1-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe8f3f1-15 --physdev-is                                                                                                                               -bridged -j neutron-openvswi-o1fe8f3f1-1
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP
-A nova-api-metadat-INPUT -d 10.0.0.202/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-metadat-local