解除openstack中instance对IP的限制

root@node1:~# iptables -vnL

Chain INPUT (policy ACCEPT 3556K packets, 744M bytes)

pkts bytes target prot opt in out source destination

1778K 372M nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

150 13488 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0

6 1392 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4208K packets, 567M bytes)

pkts bytes target prot opt in out source destination

4202K 567M nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0

2106K 284M nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-FORWARD (1 references)

pkts bytes target prot opt in out source destination

4 1312 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67

2 80 ACCEPT all -- brq3eefcd79-07 * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT all -- * brq3eefcd79-07 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-INPUT (1 references)

pkts bytes target prot opt in out source destination

2 656 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67

Chain nova-compute-OUTPUT (1 references)

pkts bytes target prot opt in out source destination

Chain nova-compute-inst-15 (1 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68

0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8

0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-inst-17 (1 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID

0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68

0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8

0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-local (1 references)

pkts bytes target prot opt in out source destination

0 0 nova-compute-inst-15 all -- * * 0.0.0.0/0 10.16.0.111

0 0 nova-compute-inst-17 all -- * * 0.0.0.0/0 10.16.0.131

Chain nova-compute-provider (2 references)

pkts bytes target prot opt in out source destination

Chain nova-compute-sg-fallback (2 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-filter-top (2 references)

pkts bytes target prot opt in out source destination

2106K 284M nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0

root@node1:~# ebtables -t nat -L

Bridge table: nat

Bridge chain: PREROUTING, entries: 2, policy: ACCEPT

-i tap0678bf1d-41 -j libvirt-I-tap0678bf1d-41

-i tap496fa038-9e -j libvirt-I-tap496fa038-9e

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT

Bridge chain: libvirt-I-tap0678bf1d-41, entries: 4, policy: ACCEPT

-j I-tap0678bf1d-41-mac

-p IPv4 -j I-tap0678bf1d-41-ipv4-ip

-p ARP -j I-tap0678bf1d-41-arp-mac

-p ARP -j I-tap0678bf1d-41-arp-ip

Bridge chain: I-tap0678bf1d-41-mac, entries: 2, policy: ACCEPT

-s fa:16:3e:a6:5f:70 -j RETURN

-j DROP

Bridge chain: I-tap0678bf1d-41-ipv4-ip, entries: 3, policy: ACCEPT

-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN

-p IPv4 --ip-src 10.16.0.131 -j RETURN

-j DROP

Bridge chain: I-tap0678bf1d-41-arp-mac, entries: 2, policy: ACCEPT

-p ARP --arp-mac-src fa:16:3e:a6:5f:70 -j RETURN

-j DROP

Bridge chain: I-tap0678bf1d-41-arp-ip, entries: 2, policy: ACCEPT

-p ARP --arp-ip-src 10.16.0.131 -j RETURN

-j DROP

Bridge chain: libvirt-I-tap496fa038-9e, entries: 4, policy: ACCEPT

-j I-tap496fa038-9e-mac

-p IPv4 -j I-tap496fa038-9e-ipv4-ip

-p ARP -j I-tap496fa038-9e-arp-mac

-p ARP -j I-tap496fa038-9e-arp-ip

Bridge chain: I-tap496fa038-9e-mac, entries: 2, policy: ACCEPT

-s fa:16:3e:58:1:ac -j RETURN

-j DROP

Bridge chain: I-tap496fa038-9e-ipv4-ip, entries: 3, policy: ACCEPT

-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN

-p IPv4 --ip-src 10.16.0.111 -j RETURN

-j DROP

Bridge chain: I-tap496fa038-9e-arp-mac, entries: 2, policy: ACCEPT

-p ARP --arp-mac-src fa:16:3e:58:1:ac -j RETURN

-j DROP

Bridge chain: I-tap496fa038-9e-arp-ip, entries: 2, policy: ACCEPT

-p ARP --arp-ip-src 10.16.0.111 -j RETURN

-j DROP

<filter name='nova-base' chain='root'>

<uuid>12ec8693-253a-7db0-7cd3-f8cc0a1e1b02</uuid>

<filterref filter='no-mac-spoofing'/>

<filterref filter='no-ip-spoofing'/>

<filterref filter='no-arp-spoofing'/>

<filterref filter='allow-dhcp-server'/>

</filter>

<filter name='nova-instance-instance-0000000f-fa163e5801ac' chain='root'>

<uuid>972d18be-2db0-4bf2-2853-a0a61beac036</uuid>

<filterref filter='nova-base'>

<parameter name='DHCPSERVER' value='10.16.0.102'/>

<parameter name='IP' value='10.16.0.111'/>

<parameter name='PROJMASK' value='255.255.255.0'/>

<parameter name='PROJNET' value='10.16.0.0'/>

</filterref>

</filter>