libvirt-bin (depended by nova-compute) brings in unnecessary MASQs, while nova-compute actually uses it's own openvswitch. Charm should delete or disable the extraneous MASQs, or at least provide the option to do so.
~$ sudo dpkg -S /etc/libvirt/qemu/networks/default.xml
libvirt-bin: /etc/libvirt/qemu/networks/default.xml
~$ sudo apt-cache rdepends libvirt-bin
libvirt-bin
Reverse Depends:
nova-compute-libvirt
libvirt-dev
python-libvirt
nova-compute-libvirt
maas-cluster-controller
libvirt-dev
virt-goodies
uvtool-libvirt
|opennebula-node
libsys-virt-perl
koan
gnome-boxes
virtinst
virt-manager
ubuntu-virt-server
python-libvirt
nova-compute-libvirt
maas-cluster-controller
libvirt-dev
apparmor
~$ sudo iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-openvswi-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-openvswi-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-openvswi-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
neutron-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
FYI this triggered a service outage (swift-storage) from conntrack exhaustion conntrack_ max = 65536.
on a deployment where we aggregate nova-compute and swift-storage services
into same units, with (default) net.nf_