Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

There are two different drivers for security group rules (set by the --firewall_driver flag). The default driver uses iptables directly. The nwfilter driver does the configuration through nwfilter.

The nwfilter driver was created first, but we switched to the other by default because it has a couple of issues: 1) it often blocks for a long time inside of libvirt, especially once a large number of rules have been defined 2) due to a change in support for physdev device match, there are certain networking setups where the rules are bypassed

(There may have been other issues as well that I'm not remembering)


On May 5, 2011, at 3:05 PM, Shi Jin wrote:

New question #156184 on OpenStack Compute (nova):

Hi there,

I thought this is a straightforward thing to find out but it turned not. I created a security group to allow ssh and http and run an instance with it. On its physical host, I see the following proper iptables rules

Chain nova-compute-inst-20 (1 references) target prot opt source destination
DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere udp spt:bootps dpt:bootpc ACCEPT all -- anywhere
ACCEPT tcp -- anywhere tcp dpt:ssh ACCEPT tcp -- anywhere tcp dpt:http nova-compute-sg-fallback all -- anywhere anywhere

The libvirt XML shows interface type='bridge'> <mac address="02:16:3e:05:67:78"/> <source bridge="br2"/> <target dev="vnet2"/> <filterref filter="nova-instance-instance-00000014-02163e056778"> <parameter name="DHCPSERVER" value=""/> <parameter name="IP" value=""/> </filterref> <alias name="net0"/>


So I went to look at its nwfilter [root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778 <filter name="nova-instance-instance-00000014-02163e056778" chain="root"> <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid> <filterref filter="nova-base"/> </filter>

It references the nova-base nwfilter, which is [root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base <filter name="nova-base" chain="root"> <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid> <filterref filter="no-mac-spoofing"/> <filterref filter="no-ip-spoofing"/> <filterref filter="no-arp-spoofing"/> <filterref filter="allow-dhcp-server"/> </filter>

But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked. Is it run directly by iptables, without using the libvirt nwfilter? I would assume it is a natural way to directly use nwfilter for security groups, right?

Thanks. Shi

-- You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).