Ask Your Question
0

Nova-network Firewall Problems -ebtables [closed]

asked 2014-03-31 04:12:05 -0500

Gaganjot Singh gravatar image

updated 2014-04-01 05:07:43 -0500

Hi There, I am trying to deploy openstack on a single system using a single NIC. I have disabled Fire-walling by setting Firewall Driver= ~. NoopFirewallDriver. Even then,whenever I reboot my system or spin a new vm, my ebables list is updated which adds rules to drop arp requests on the bridge ip (and hence my system ip) . What Should be done?

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Gaganjot Singh
close date 2014-04-02 00:59:23.846293

Comments

I've had the same problem. It's a problem for XenServer users because the controller VM can't reach instances if the ebtables rules exist.

On the other hand, my DevStack-based deployments behave differently - it does not create the ebtables rules on nova boot. Not sure why the two are different.

gyee gravatar imagegyee ( 2014-03-31 14:38:17 -0500 )edit

Yes, the issue has been giving me hard times from the last week. I have tried many things, including setting NoopFirewallDriver in the configuration files, changing sysctl settings... but the ebtables seem to be quite furious with me.

Gaganjot Singh gravatar imageGaganjot Singh ( 2014-04-01 04:53:07 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-04-01 14:31:49 -0500

gyee gravatar image

updated 2014-04-01 14:32:56 -0500

The changing of ebtables is caused by setting share_dhcp_address = True in the /etc/nova/nova.conf file. By changing this setting to False I was able to boot VMs without the ebtables rules being added.

share_dhcp_address is useful if you want to have multiple compute nodes share the same IP address (for the purposes of migration is my guess). As far as why the ebtables rules are necessary - the links below suggest that it is for security related and while I think it has something to do with preventing spoofing attacks, but I haven't connected all the dots yet so take it with a grain of salt.

Related Links:

https://ask.openstack.org/en/question/1648/why-do-ebtables-rules-with-share_dhcp_address-block-arp-traffic/

https://review.openstack.org/#/c/16578

edit flag offensive delete link more

Comments

@gyee: Thanks. Solved my problem.

Gaganjot Singh gravatar imageGaganjot Singh ( 2014-04-02 07:30:40 -0500 )edit
2

answered 2014-04-01 17:59:59 -0500

SGPJ gravatar image

In Devstack; I have added security group rules for ALL ICMP, ALL TCP & UDP for all ports and I am able to ping Guest VM's (Cirros VM)floating IP from host machine (devstack). From a guest VM running on private network I try to send a packet using python Scrapy but the packets gets dropped. How to disable the anti-ip-spoofing in devstack.

Thanks.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-31 04:12:05 -0500

Seen: 736 times

Last updated: Apr 01 '14