Ask Your Question

Herman Ge's profile - activity

2016-06-01 07:19:59 -0600 received badge  Notable Question (source)
2016-06-01 07:19:59 -0600 received badge  Famous Question (source)
2016-01-07 23:01:59 -0600 received badge  Popular Question (source)
2015-11-17 08:09:50 -0600 received badge  Teacher (source)
2015-11-17 06:50:31 -0600 answered a question Neutron: Can't ping internet from instance and router namespace

In /etc/neutron/l3_agent.ini, set external_network_bridge=br-ex. Then restart related services.

2015-11-16 00:04:32 -0600 received badge  Enthusiast
2015-11-15 10:13:57 -0600 answered a question ssh not connecting to Ubuntu Server 14.04 instance

By default SSH sever is not installed on ubuntu 14.04. Need to install it. Then need modify sshd_config file: /etc/ssh/sshd_config:
PermitRootLogin without-password #comment this line;

PermitRootLogin yes #add this line;

After this, restart ssh service: service ssh restart.

2015-11-11 23:32:33 -0600 answered a question Network not working as expected

I think there's something wrong for interface and bridge mapping. According to output of 'ovs-vsctl show', you're using br-eth1 as external bridge, br-ex is not used. But qg-30e26043-0a is under br-ex. That's why you can ping 172.16.0.1 in namespace. qg-30e26043-0a should be under the bridge you're using:br-eth1.

According output of 'ovs-vsctl show', flow path is: br-int -> int-br-eth1 -> phy-br-eth1 ->eth1

Rright working path should be: br-int -> int-br-eth1 -> phy-br-eth1 -> qg-30e26043-0a ->eth1

2015-11-11 00:25:54 -0600 commented answer questions about snat rules in iptables

I mean how to display overlay to router gateway manpping rules? oerlay IP:port ->gateway:port 10.1.1.4:54081 ->172.168.0.52:54081 10.1.1.4:42224 ->172.168.0.52:42224

2015-11-10 23:54:09 -0600 commented answer questions about snat rules in iptables

These two mapping rules with IP and tcp port are not displayed in iptables. These rules should be exesited in some places. I want to know how to display these rules?

2015-11-10 23:52:55 -0600 commented answer questions about snat rules in iptables

In my setup, router gateway IP is 172.168.0.52. On instance(no fip), ssh to two external nodes test-38 and test-40. TCP sessions are established with external nodes through router gateway 172.168.0.52 with different ports: 172.168.0.52:54081<->test-38:ssh ;172.168.0.52:42224<->test-40:ssh

2015-11-10 23:50:08 -0600 commented answer questions about snat rules in iptables

You're right. Instance without FIP will use router gateway IP to visit external network.

2015-11-10 01:20:28 -0600 asked a question questions about snat rules in iptables

After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.

Can someone explain my confusion? Thanks!

[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         
2857K  126M neutron-l3-agent-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2854K packets, 126M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   224 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2221 77452 neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !qg-260ca1a1-5d !qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  qr-+   *       0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-snat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-float-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1694 58556 SNAT       all  --  *      qg-260ca1a1-5d  0.0.0.0/0            0.0.0.0/0            to:172.168.0.3
    1    84 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3

Chain neutron-postrouting-bottom (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2221 77452 neutron-l3-agent-snat  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Perform source NAT on outgoing traffic. */

[root@test ~(keystone_admin)]#

2015-11-10 01:20:26 -0600 asked a question can't see PAT rules in iptables

After creating a instance and router(instance is not associated with floatingip), ssh external vm on instance. I think there should be nat rules with source ip and port in iptables for this ssh session. But fact is no PAT rules for this session in namespace iptables. Iptables is listed below.

Can someone explain my confusion? Thanks!

[root@test ~(keystone_admin)]# ip netns exec qrouter-4b6c0922-d9f9-4f4d-b28d-be4f5c82a769 iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 2857K packets, 126M bytes) pkts bytes target prot opt in out source destination
2857K 126M neutron-l3-agent-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 2854K packets, 126M bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes) pkts bytes target prot opt in out source destination
3 224 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 7 packets, 540 bytes) pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
2221 77452 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0

Chain neutron-l3-agent-OUTPUT (1 references) pkts bytes target prot opt in out source destination

Chain neutron-l3-agent-POSTROUTING (1 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- !qg-260ca1a1-5d !qg-260ca1a1-5d 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references) pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- qr-+ * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697

Chain neutron-l3-agent-float-snat (1 references) pkts bytes target prot opt in out source destination

Chain neutron-l3-agent-snat (1 references) pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
1694 58556 SNAT all -- * qg-260ca1a1-5d 0.0.0.0/0 0.0.0.0/0 to:172.168.0.3 1 84 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x2/0xffff ctstate DNAT to:172.168.0.3

Chain neutron-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination
2221 77452 neutron-l3-agent-snat all -- * * 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */ [root@test ~(keystone_admin)]#