udp traffic not getting forwarded out through my security group

asked 2014-11-07 19:12:17 -0500

nakul gravatar image

updated 2014-11-08 00:22:45 -0500

DanIzack gravatar image

HI I have a multinode openstack node with network,compute and controller node. After launching a vm the udp traffic is not getting out of the vm but the udp traffic is coming into the vm. I have set both ingress and egress to allow all udp in my security group. If i turn off iptables it is working fine so it is definately a security group issue. Below is the scurity group output i am using:

nova secgroup-list-rules default

    +-------------+-----------+---------+-----------+--------------+       
    | IP Protocol | From Port | To Port | IP Range  | Source Group |   
    +-------------+-----------+---------+-----------+--------------+    
    | icmp        | -1        | -1      | 0.0.0.0/0 |              |  
    | tcp         | 22        | 22      | 0.0.0.0/0 |              |  
    | udp         | 1         | 65535   | 0.0.0.0/0 |              |  
    +-------------+-----------+---------+-----------+--------------+

The following is the output of the neutron port security group for the port I am using 

security-group-show mySecurityGroup
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                | Value           |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| description          | my securityGroup           |  
| id                   | fa01bde3-6d6d-4acb-bf52-cff8618b92d3           |  
| name                 | mySecurityGroup           |  
| security_group_rules | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": 65535, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": 1, "ethertype": "IPv4", "id": "0ef6c76d-7b6d-4f33-bff2-d9f61ee234ae"}     |  
|                      | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": 65535, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": 1, "ethertype": "IPv4", "id": "4a692354-3663-4c82-9040-a77ee879e73a"}    |
|                      | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "icmp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": null, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": null, "ethertype": "IPv4", "id": "4d6a1d73-8a88-49d8-a911-e0a0338198ad"} |
|                      | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "udp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": 65535, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": 1, "ethertype": "IPv4", "id": "8a1ca605-dfa2-432c-bdc6-d4008fd862bd"}     |
|                      | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "udp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": 65535, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": 1, "ethertype": "IPv4", "id": "d80195c5-c2ca-49a9-a3d6-25abcfcf8b6a"}    |
|                      | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "icmp", "tenant_id": "57f5c9f489d04fa1a72bb70d92568110", "port_range_max": null, "security_group_id": "fa01bde3-6d6d-4acb-bf52-cff8618b92d3", "port_range_min": null, "ethertype": "IPv4", "id": "e398cd41-e3ff-42f9-8119-65f8bfd74b83"}  |
| tenant_id            | 57f5c9f489d04fa1a72bb70d92568110           |
+----------------------+------------------------------------------------------------------------------------------------------------------


Also below is the iptables output at the tap and at the bridge chain: 


iptables -S | grep tapb8303c28-51
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-ob8303c28-5
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-ib8303c28-5
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-ob8303c28-5
[root@mvvirtb01-web ~]# iptables -S | grep neutron-openvswi-ib8303c28-5
-N neutron-openvswi-ib8303c28-5
-A neutron-openvswi-ib8303c28-5 -m state --state INVALID -j DROP
-A neutron-openvswi-ib8303c28-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ib8303c28-5 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-ib8303c28-5 -p icmp -j RETURN
-A neutron-openvswi-ib8303c28-5 -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-ib8303c28-5 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-ib8303c28-5
[root@mvvirtb01-web ~]# iptables -S | grep neutron-openvswi-ob8303c28-5
-N neutron-openvswi-ob8303c28-5
-A neutron-openvswi-INPUT -m physdev --physdev-in tapb8303c28-51 --physdev-is-bridged -j neutron-openvswi-ob8303c28-5
-A neutron-openvswi-ob8303c28-5 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-ob8303c28-5 -j neutron-openvswi-sb8303c28-5
-A neutron-openvswi-ob8303c28-5 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-ob8303c28-5 -m state --state INVALID -j DROP
-A neutron-openvswi-ob8303c28-5 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ob8303c28-5 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-ob8303c28-5 -p ...
(more)
edit retag flag offensive close merge delete