Custom Search

Tuesday, July 15, 2014

OpenStack neutron How to find iptables in a network namespace

1)
List network namespaces
#ip netns
qdhcp-5fb186d7-1836-4505-b8c5-ce8219d51589
qrouter-e7ddc5e5-1f2c-46e7-92b0-85a0e6d4e838

2)
Find iptables in the quantum router network namespace "qrouter-e7ddc5e5-1f2c-46e7-92b0-85a0e6d4e838"
$ sudo ip netns exec qrouter-e7ddc5e5-1f2c-46e7-92b0-85a0e6d4e838 iptables-save
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:30:42 2014
*nat
:PREROUTING ACCEPT [21:1773]
:INPUT ACCEPT [6:729]
:OUTPUT ACCEPT [15:1054]
:POSTROUTING ACCEPT [15:1054]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-b9fd2b47-d6 ! -o qg-b9fd2b47-d6 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 172.24.4.2
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Tue Jul 15 04:30:42 2014
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:30:42 2014
*mangle
:PREROUTING ACCEPT [2391:246264]
:INPUT ACCEPT [82:7385]
:FORWARD ACCEPT [2309:238879]
:OUTPUT ACCEPT [104:8341]
:POSTROUTING ACCEPT [2413:247220]
COMMIT
# Completed on Tue Jul 15 04:30:42 2014
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:30:42 2014
*filter
:INPUT ACCEPT [82:7385]
:FORWARD ACCEPT [2309:238879]
:OUTPUT ACCEPT [104:8341]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Tue Jul 15 04:30:42 2014

3)
How to grep iptables in the quantum router network namespace "qrouter-e7ddc5e5-1f2c-46e7-92b0-85a0e6d4e838"
$ sudo ip netns exec qrouter-e7ddc5e5-1f2c-46e7-92b0-85a0e6d4e838 iptables-save | grep 9697
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

4)
How to grep iptables in the quantum dhcp network namespace "qdhcp-5fb186d7-1836-4505-b8c5-ce8219d51589"
$ sudo ip netns exec qdhcp-5fb186d7-1836-4505-b8c5-ce8219d51589 iptables-save
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:34:46 2014
*nat
:PREROUTING ACCEPT [1:309]
:INPUT ACCEPT [1:309]
:OUTPUT ACCEPT [1:351]
:POSTROUTING ACCEPT [1:351]
COMMIT
# Completed on Tue Jul 15 04:34:46 2014
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:34:46 2014
*mangle
:PREROUTING ACCEPT [2:630]
:INPUT ACCEPT [2:630]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:702]
:POSTROUTING ACCEPT [2:702]
COMMIT
# Completed on Tue Jul 15 04:34:46 2014
# Generated by iptables-save v1.4.21 on Tue Jul 15 04:34:46 2014
*filter
:INPUT ACCEPT [2:630]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:702]
COMMIT
# Completed on Tue Jul 15 04:34:46 2014




1 comment:

  1. http://techbackground.blogspot.in/2013/06/metadata-via-quantum-router.html

    ReplyDelete