The ask.openstack.org website will be read-only from now on. Please ask questions on the openstack-discuss mailing-list, stackoverflow.com for coding or serverfault.com for operations.
 | 1 | initial version |
Security Group rules are enforce by Linux iptable rulles at the compute host level. I'm using DVR (dist virtual routine) on Kilo, here are some rules dumped out on a compute host:
sudo iptables -L
Chain neutron-openvswi-i76b78cbd-2 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 192.168.51.2 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp
RETURN udp -- anywhere anywhere udp
RETURN icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
yes, you can create security group rules in Heat orchestration template. Here is a brief example:
mysecurity_group:
type: OS::Neutron::SecurityGroup
properties:
description: Neutron security group rules
name: mysecurity_group
rules:
- remote_ip_prefix: 0.0.0.0/0
protocol: tcp
port_range_min: 0
port_range_max: 65535
direction: ingress
| | 2 | No.2 Revision |
Security Group rules are enforce by Linux iptable rulles at the compute host level.
I'm using DVR (dist virtual routine) routing) on Kilo, here are some rules dumped out
on a compute host:
sudo iptables -L
Chain neutron-openvswi-i76b78cbd-2 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 192.168.51.2 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp
RETURN udp -- anywhere anywhere udp
RETURN icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
yes, you can create security group rules in Heat orchestration template. Here is a brief example:
mysecurity_group:
type: OS::Neutron::SecurityGroup
properties:
description: Neutron security group rules
name: mysecurity_group
rules:
- remote_ip_prefix: 0.0.0.0/0
protocol: tcp
port_range_min: 0
port_range_max: 65535
direction: ingress
| | 3 | No.3 Revision |
Security Group rules are enforce enforced by Linux iptable rulles rules at the compute host level.
I'm using DVR (dist virtual routing) on Kilo, here are some rules dumped out
on a compute host:
sudo iptables -L
Chain neutron-openvswi-i76b78cbd-2 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 192.168.51.2 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp
RETURN udp -- anywhere anywhere udp
RETURN icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
yes, you can create security group rules in Heat orchestration template. Here is a brief example:
mysecurity_group:
type: OS::Neutron::SecurityGroup
properties:
description: Neutron security group rules
name: mysecurity_group
rules:
- remote_ip_prefix: 0.0.0.0/0
protocol: tcp
port_range_min: 0
port_range_max: 65535
direction: ingress