Neutron Networking explained
This is going to be huge topic, Lets go chapter or concepts wise.
- How VMs(instances) communicate with internet(NAT Explained)*
- xxx
- xxx
Basics explained
- The default logical router(Router1), private network(10.0.0.x) and public network (172.24.4.x) is created as part of the default installation.
- This Router1 is connected with the private network and public network, to route traffic. It has the capability to do SNAT(PAT), DNAT(for meta service) and One to One NAT(floating IP).
- Router1 is running in the separate Linux network namespace.
- Router1 has attached with two ports(interfaces) (private interface -10.0.0.1 and public interface - 172.24.4.2), and it does NATing using iptables to enable the VMs to communicate the external world.
- SNAT is enabled by default.
- User can create a Router and attach with the private networks and set the gateway(public network).
How to check the Router
In the devstack linux console, execute the sudo ip netns list command.
cloud@devstack:~/devstack$ sudo ip netns list
qrouter-ebd609d2-5b34-44b0-91f6-96658fbbf7e1
qdhcp-15e84436-77ba-45e9-a478-705a354749e4
qdhcp-def791d3-9e2c-433e-b839-6faf93ee0270
qrouter-e0b7340e-e412-4401-9101-1a4797eff44c
qdhcp-7359af35-d185-451c-ad97-bfc732c2189a
cloud@devstack:~/devstack$
In the above output, it displays two routers (qrouter-ebd609d2-5b34-44b0-91f6-96658fbbf7e1, qrouter-e0b7340e-e412-4401-9101-1a4797eff44c). I have created one for testing.
To Check the interfaces available in the router
ip netns exec
ip netns exec qrouter-e0b7340e-e412-4401-9101-1a4797eff44c ifconfig
cloud@devstack:~/devstack$ sudo ip netns exec qrouter-e0b7340e-e412-4401-9101-1a4797eff44c ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qg-4a4c7003-ed Link encap:Ethernet HWaddr fa:16:3e:1c:ba:e9
inet addr:172.24.4.2 Bcast:172.24.4.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe1c:bae9/64 Scope:Link
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:37 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2540 (2.5 KB) TX bytes:1336 (1.3 KB)
qr-7443f2c0-35 Link encap:Ethernet HWaddr fa:16:3e:9d:4c:15
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe9d:4c15/64 Scope:Link
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:1239 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:146142 (146.1 KB) TX bytes:874 (874.0 B)
qr-87bd7eff-53 Link encap:Ethernet HWaddr fa:16:3e:fc:03:da
inet6 addr: fe80::f816:3eff:fefc:3da/64 Scope:Link
inet6 addr: fd55:5b78:8eb1::1/64 Scope:Global
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1244 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:78 (78.0 B) TX bytes:146640 (146.6 KB)
cloud@devstack:~/devstack$
In this , qr-7443f2c0-35(10.0.0.1) connected to the private nework and qr-7443f2c0-35(172.24.4.2) connected to the public network(external network).
We can login to this namespace console and execute all the linux commands.
ip netns exec
Example
cloud@devstack:~/devstack$ sudo ip netns exec qrouter-e0b7340e-e412-4401-9101-1a4797eff44c bash
root@devstack:~/devstack# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qg-4a4c7003-ed Link encap:Ethernet HWaddr fa:16:3e:1c:ba:e9
inet addr:172.24.4.2 Bcast:172.24.4.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe1c:bae9/64 Scope:Link
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:37 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2540 (2.5 KB) TX bytes:1336 (1.3 KB)
qr-7443f2c0-35 Link encap:Ethernet HWaddr fa:16:3e:9d:4c:15
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe9d:4c15/64 Scope:Link
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:1249 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:147322 (147.3 KB) TX bytes:874 (874.0 B)
qr-87bd7eff-53 Link encap:Ethernet HWaddr fa:16:3e:fc:03:da
inet6 addr: fe80::f816:3eff:fefc:3da/64 Scope:Link
inet6 addr: fd55:5b78:8eb1::1/64 Scope:Global
UP BROADCAST RUNNING MTU:1450 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:78 (78.0 B) TX bytes:147820 (147.8 KB)
root@devstack:~/devstack#
root@devstack:~/devstack# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- anywhere anywhere
neutron-postrouting-bottom all -- anywhere anywhere
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhere
SNAT all -- anywhere anywhere to:172.24.4.2
SNAT all -- anywhere anywhere mark match ! 0x2/0xffff ctstate DNAT to:172.24.4.2
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- anywhere anywhere /* Perform source NAT on outgoing traffic. */
root@devstack:~/devstack#
In this, iptables nat table,
"neutron-l3-agent-snat" tale , the below line enables SNAT for all the private networks connected to this router. this is the default configuration.
SNAT all -- anywhere anywhere to:172.24.4.2
In this, iptables nat table, "neutron-l3-agent-float-snat" table is for FLOATING IP(one to one mapping. In out above example we dont have any VMs associated with floating IP. Hence its empty.
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
References
- http://docs.openstack.org/mitaka/networking-guide/intro-nat.html
- https://www.mirantis.com/blog/identifying-and-troubleshooting-neutron-namespaces/
- https://www.cyberciti.biz/faq/howto-iptables-show-nat-rules/
- http://www.dasblinkenlichten.com/an-introduction-to-network-namespaces/
- http://docs.openstack.org/newton/networking-guide/intro-network-namespaces.html
- http://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/