This is less of an OpenStack question and more of an iptables question. Consider the following chain in the NAT table
Chain nova-network-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 172.16.100.0/24 10.128.0.223
0 0 ACCEPT all -- any any 172.16.100.0/24 172.16.100.0/24 ! ctstate DNAT
0 0 SNAT all -- any any 172.16.100.6 anywhere ctstate DNAT to:10.128.0.161
Can anyone tell me what 1) the "! ctstate DNAT" means in the second rule and 2) the "ctstate DNAT to:10.128.0.161" means in the 3rd rule
Thanks
The first rule uses the connection tracking extension ctstate and inverts dynamic network address translation protocol ! - I believe the rules are saying, when the source is from 172.16.100.0/24 and the destination is the same network don't NAT the source (so if this is a virtual router then that would be dhcp offers and the like, also any host to host communication on that subnet) - the second part 172.16.100.6 to anywhere should be NAT'ed dynamically to 10.128.0.161. So if 172.16.100.6 is you openstack external router the conntrack module will match rule 2 for internal traffic and rule 3 for everything else, i.e - the router and hosts will always match rule 2 first for internal traffic but one host specifically will have it's source NAT'ed when it leaves the segment, or put another way a proxy server, since default route is likely 172.16.100.6.