Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Security Group rules are enforce by Linux iptable rulles at the compute host level. I'm using DVR (dist virtual routine) on Kilo, here are some rules dumped out on a compute host:

sudo iptables -L

Chain neutron-openvswi-i76b78cbd-2 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  192.168.51.2         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp
RETURN     udp  --  anywhere             anywhere             udp
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

yes, you can create security group rules in Heat orchestration template. Here is a brief example:

 mysecurity_group:
    type: OS::Neutron::SecurityGroup
    properties:
      description: Neutron security group rules
      name: mysecurity_group
      rules:
      - remote_ip_prefix: 0.0.0.0/0
        protocol: tcp
        port_range_min: 0
        port_range_max: 65535
        direction: ingress

Security Group rules are enforce by Linux iptable rulles at the compute host level. I'm using DVR (dist virtual routine) routing) on Kilo, here are some rules dumped out on a compute host:

sudo iptables -L

Chain neutron-openvswi-i76b78cbd-2 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  192.168.51.2         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp
RETURN     udp  --  anywhere             anywhere             udp
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

yes, you can create security group rules in Heat orchestration template. Here is a brief example:

 mysecurity_group:
    type: OS::Neutron::SecurityGroup
    properties:
      description: Neutron security group rules
      name: mysecurity_group
      rules:
      - remote_ip_prefix: 0.0.0.0/0
        protocol: tcp
        port_range_min: 0
        port_range_max: 65535
        direction: ingress

Security Group rules are enforce enforced by Linux iptable rulles rules at the compute host level. I'm using DVR (dist virtual routing) on Kilo, here are some rules dumped out on a compute host:

sudo iptables -L

Chain neutron-openvswi-i76b78cbd-2 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  192.168.51.2         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp
RETURN     udp  --  anywhere             anywhere             udp
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

yes, you can create security group rules in Heat orchestration template. Here is a brief example:

 mysecurity_group:
    type: OS::Neutron::SecurityGroup
    properties:
      description: Neutron security group rules
      name: mysecurity_group
      rules:
      - remote_ip_prefix: 0.0.0.0/0
        protocol: tcp
        port_range_min: 0
        port_range_max: 65535
        direction: ingress