I have a mitaka openstack deployment with neutron DVR enabled. When I try to test the snat HA failover I found that even though the snat namespace was created on the other backup node, it doesn't has any nat rule in snat namespace iptable. And run "ip a" in the sant namespace you will find the sg port is missing.
Here is what I found on the second neutron network node
sandy-pistachio:/opt/openstack # ip netns
qrouter-e25b81f9-8810-4654-9be0-ebac09c700fb
qdhcp-abe36e89-f7a5-4cbd-a7e4-852d80ed92d6
snat-e25b81f9-8810-4654-9be0-ebac09c700fb
sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
70: qg-cc3b2f8c-b7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:cb:27:cd brd ff:ff:ff:ff:ff:ff
inet 10.240.117.98/28 brd 10.240.117.111 scope global qg-cc3b2f8c-b7
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fecb:27cd/64 scope link
valid_lft forever preferred_lft forever
sandy-pistachio:/opt/openstack # ip netns exec snat-e25b81f9-8810-4654-9be0-ebac09c700fb iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
sandy-pistachio:/opt/openstack #
I have a mitaka openstack deployment with neutron DVR enabled. When I try to test the snat HA failover I found that even though the snat namespace was created on the other backup node, it doesn't has any nat rule in snat namespace iptable. And run "ip a" in the sant namespace you will find the sg port is missing.
Here is what I found on the second neutron network node
sandy-pistachio :/opt/openstack # ip netns e25b81f9- 8810-4654- 9be0-ebac09c700 fb f7a5-4cbd- a7e4-852d80ed92 d6 8810-4654- 9be0-ebac09c700 fb
qrouter-
qdhcp-abe36e89-
snat-e25b81f9-
sandy-pistachio :/opt/openstack # ip netns exec snat-e25b81f9- 8810-4654- 9be0-ebac09c700 fb ip a UP,LOWER_ UP> mtu 65536 qdisc noqueue state UNKNOWN group default MULTICAST, UP,LOWER_ UP> mtu 1500 qdisc noqueue state UNKNOWN group default 3eff:fecb: 27cd/64 scope link
1: lo: <LOOPBACK,
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
70: qg-cc3b2f8c-b7: <BROADCAST,
link/ether fa:16:3e:cb:27:cd brd ff:ff:ff:ff:ff:ff
inet 10.240.117.98/28 brd 10.240.117.111 scope global qg-cc3b2f8c-b7
valid_lft forever preferred_lft forever
inet6 fe80::f816:
valid_lft forever preferred_lft forever
sandy-pistachio :/opt/openstack # ip netns exec snat-e25b81f9- 8810-4654- 9be0-ebac09c700 fb iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) :/opt/openstack #
pkts bytes target prot opt in out source destination
sandy-pistachio