Ask Your Question
1

security group and neutron

asked 2014-03-14 09:51:03 -0500

luigi.romagnoli gravatar image

updated 2014-03-14 09:52:09 -0500

Hi, on my lab everything seem to be setup right, but when i change the rules of security group even if the iptables rules are refreshed nothing happens to my virtual word, i use port 34123 only see if something happens to iptables

root@node1:/images# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 34123     | 34123   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


    root@compute1:/# iptables -S | grep tap 
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    root@compute1:/# 




-A neutron-openvswi-i827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-i827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i827be275-6 -p tcp -m tcp --dport 34123 -j RETURN
-A neutron-openvswi-i827be275-6 -s 192.168.17.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-s827be275-6
-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-o827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o827be275-6 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-s827be275-6 -s 192.168.17.4/32 -m mac --mac-source FA:16:3E:AC:B2:CE -j RETURN
-A neutron-openvswi-s827be275-6 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP


-A neutron-openvswi-sg-fallback -j DROP


tcpdump -ni tap827be275-62


5:30:23.002123 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [P.], seq 2044:2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 11
15:30:23.002572 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [F.], seq 2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 0
15:30:23.002832 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [.], ack 2056, win 63598, options [nop,nop,TS val 216392 ecr 1110034546], length 0
15:30:23.005367 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [.], ack 462733, win 65535, options [nop,nop,TS val 1110034548 ecr 216392], length 0
15:30:23.009478 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [R.], seq 462733, ack 2056, win 0, length 0
15:30:24.832224 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:32.847985 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:38.358002 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 0, length 64
15:30:38.358275 IP 192.168.17.4 > x.x.x.108: ICMP ...
(more)
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-03-14 10:40:43 -0500

luigi.romagnoli gravatar image

found solution

link text

add to nova.conf
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

if someone can better explain i will be glad on nova.conf i've to put

firewall_driver=nova.virt.firewall.NoopFirewallDriver

/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini 

[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example: 
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

is all ok, i make something of deprecated?

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-14 09:51:03 -0500

Seen: 1,004 times

Last updated: Mar 14 '14

Related questions

load balancer using iptable rules

DHCP request hits interface but not dnsmasq

Configuring network component prerequisites for the compute node return errors

Use openstack to manage iptables

Security Group Problem: GRE

external Net reachable but not the internet!

Kolla neutron external interface configuration

MTU size issue

Quantum by itself

udp performance is bad in neutron