Ask Your Question
1

security group and neutron

asked 2014-03-14 09:51:03 -0600

luigi.romagnoli gravatar image

updated 2014-03-14 09:52:09 -0600

Hi, on my lab everything seem to be setup right, but when i change the rules of security group even if the iptables rules are refreshed nothing happens to my virtual word, i use port 34123 only see if something happens to iptables

root@node1:/images# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 34123     | 34123   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


    root@compute1:/# iptables -S | grep tap 
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
    root@compute1:/# 




-A neutron-openvswi-i827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-i827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i827be275-6 -p tcp -m tcp --dport 34123 -j RETURN
-A neutron-openvswi-i827be275-6 -s 192.168.17.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-openvswi-i827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-s827be275-6
-A neutron-openvswi-o827be275-6 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o827be275-6 -m state --state INVALID -j DROP
-A neutron-openvswi-o827be275-6 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o827be275-6 -j RETURN
-A neutron-openvswi-o827be275-6 -j neutron-openvswi-sg-fallback

-A neutron-openvswi-s827be275-6 -s 192.168.17.4/32 -m mac --mac-source FA:16:3E:AC:B2:CE -j RETURN
-A neutron-openvswi-s827be275-6 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap827be275-62 --physdev-is-bridged -j neutron-openvswi-i827be275-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap827be275-62 --physdev-is-bridged -j neutron-openvswi-o827be275-6
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -j DROP


-A neutron-openvswi-sg-fallback -j DROP


tcpdump -ni tap827be275-62


5:30:23.002123 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [P.], seq 2044:2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 11
15:30:23.002572 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [F.], seq 2055, ack 462733, win 65535, options [nop,nop,TS val 1110034546 ecr 216391], length 0
15:30:23.002832 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [.], ack 2056, win 63598, options [nop,nop,TS val 216392 ecr 1110034546], length 0
15:30:23.005367 IP x.x.x.108.59772 > 192.168.17.4.3389: Flags [.], ack 462733, win 65535, options [nop,nop,TS val 1110034548 ecr 216392], length 0
15:30:23.009478 IP 192.168.17.4.3389 > x.x.x.108.59772: Flags [R.], seq 462733, ack 2056, win 0, length 0
15:30:24.832224 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:32.847985 IP6 fe80::24ff:e3cb:d8c7:c3.546 > ff02::1:2.547: dhcp6 solicit
15:30:38.358002 IP x.x.x.108 > 192.168.17.4: ICMP echo request, id 45131, seq 0, length 64
15:30:38.358275 IP 192.168.17.4 > x.x.x.108: ICMP ...
(more)
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-03-14 10:40:43 -0600

luigi.romagnoli gravatar image

found solution

link text

add to nova.conf
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

if someone can better explain i will be glad on nova.conf i've to put

firewall_driver=nova.virt.firewall.NoopFirewallDriver

/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini 

[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example: 
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

is all ok, i make something of deprecated?

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-14 09:51:03 -0600

Seen: 1,168 times

Last updated: Mar 14 '14

Related questions

Can we disable security group rules created under neutron-openvswi-sg-chain ?

Neutron Static IP

OS::Neutron::RouterInterface

Neutron: Command not found

Interfaces of br-int are down

How does Neutron implement overlapping IPs?

(Newton) SNAT drop default traffic

Kolla neutron external interface configuration

tenant_network_type

Neutron tenant networks