Ask Your Question
0

how security group is implemented

asked 2011-05-05 22:05:25 -0500

jinzishuai gravatar image

Hi there,

I thought this is a straightforward thing to find out but it turned not. I created a security group to allow ssh and http and run an instance with it. On its physical host, I see the following proper iptables rules

Chain nova-compute-inst-20 (1 references) target prot opt source destination
DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc ACCEPT all -- 192.168.253.0/24 anywhere
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http nova-compute-sg-fallback all -- anywhere anywhere

The libvirt XML shows interface type='bridge'> <mac address="02:16:3e:05:67:78"/> <source bridge="br2"/> <target dev="vnet2"/> <filterref filter="nova-instance-instance-00000014-02163e056778"> <parameter name="DHCPSERVER" value="192.168.253.1"/> <parameter name="IP" value="192.168.253.3"/> </filterref> <alias name="net0"/>

</interface>

So I went to look at its nwfilter [root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778 <filter name="nova-instance-instance-00000014-02163e056778" chain="root"> <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid> <filterref filter="nova-base"/> </filter>

It references the nova-base nwfilter, which is [root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base <filter name="nova-base" chain="root"> <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid> <filterref filter="no-mac-spoofing"/> <filterref filter="no-ip-spoofing"/> <filterref filter="no-arp-spoofing"/> <filterref filter="allow-dhcp-server"/> </filter>

But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked. Is it run directly by iptables, without using the libvirt nwfilter? I would assume it is a natural way to directly use nwfilter for security groups, right?

Thanks. Shi

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2011-05-05 22:13:42 -0500

vishvananda gravatar image

There are two different drivers for security group rules (set by the --firewall_driver flag). The default driver uses iptables directly. The nwfilter driver does the configuration through nwfilter.

The nwfilter driver was created first, but we switched to the other by default because it has a couple of issues: 1) it often blocks for a long time inside of libvirt, especially once a large number of rules have been defined 2) due to a change in support for physdev device match, there are certain networking setups where the rules are bypassed

(There may have been other issues as well that I'm not remembering)

Vish

On May 5, 2011, at 3:05 PM, Shi Jin wrote:

New question #156184 on OpenStack Compute (nova): https://answers.launchpad.net/nova/+q...

Hi there,

I thought this is a straightforward thing to find out but it turned not. I created a security group to allow ssh and http and run an instance with it. On its physical host, I see the following proper iptables rules

Chain nova-compute-inst-20 (1 references) target prot opt source destination
DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc ACCEPT all -- 192.168.253.0/24 anywhere
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http nova-compute-sg-fallback all -- anywhere anywhere

The libvirt XML shows interface type='bridge'> <mac address="02:16:3e:05:67:78"/> <source bridge="br2"/> <target dev="vnet2"/> <filterref filter="nova-instance-instance-00000014-02163e056778"> <parameter name="DHCPSERVER" value="192.168.253.1"/> <parameter name="IP" value="192.168.253.3"/> </filterref> <alias name="net0"/>

</interface>

So I went to look at its nwfilter [root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778 <filter name="nova-instance-instance-00000014-02163e056778" chain="root"> <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid> <filterref filter="nova-base"/> </filter>

It references the nova-base nwfilter, which is [root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base <filter name="nova-base" chain="root"> <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid> <filterref filter="no-mac-spoofing"/> <filterref filter="no-ip-spoofing"/> <filterref filter="no-arp-spoofing"/> <filterref filter="allow-dhcp-server"/> </filter>

But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked. Is it run directly by iptables, without using the libvirt nwfilter? I would assume it is a natural way to directly use nwfilter for security groups, right?

Thanks. Shi


You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more
0

answered 2011-05-06 11:25:26 -0500

soren gravatar image

Even if you're using the iptables driver, nwfilter is still used for a few basic things like mac/ip/arp spoofing protection, though. Other than that, Vish is absolutely correct.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-05-05 22:05:25 -0500

Seen: 533 times

Last updated: May 06 '11