Ask Your Question

Default Neutron security group is ineffective

asked 2013-11-21 10:36:06 -0600

rg3 gravatar image

updated 2013-11-22 07:14:21 -0600

darragh-oreilly gravatar image

Good afternoon everybody, How are you? I hope you are fine.

I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the . Also I use the openvswitch.

After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.

The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:


root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf

#Network Settings
firewall_driver = nova.virt.firewall.NoopFirewallDriver



ovs_neutron plugin:

# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example: 
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Thanks an advance. Sorry for bother you.

Best Regards, Rafael.

edit retag flag offensive close merge delete


Check that you have not installed the ovs bridge compatibility package. If you are not sure what that is, please append the output of 'sudo ovs-vsctl show' from the compute node to the question.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-21 13:38:58 -0600 )edit

Ok, good, it is not installed as ovs-vsctl show does not have any qbr-xxxxxx-xx bridges. Can you run 'iptables-save' and 'brctl show' and 'ip link', and put their output on Then edit the original question above and append the link to it.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-22 07:05:15 -0600 )edit

Ok thanks for your help :). The output are: iptables-save = brctl show = ip link =

rg3 gravatar imagerg3 ( 2013-11-22 08:36:06 -0600 )edit

I don't think you had an instance running when you ran those commands? Can you repeat with an instance running.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-22 09:09:25 -0600 )edit

Yes you're right. I don't know why my instance don't running. I only answer you today because I have a other problem right now with the instance that is I can ping the instance from my controller node, but since my instance I can't ping the router and the dhcp interface and i understand very well why. I see the logs, then I found this in the openvswitch log: After that I went to google and the ask openstack to found similar errors but I can't have a conclusion about it. If you can help I will be gratefully. Best Regards Rafael

rg3 gravatar imagerg3 ( 2013-11-23 11:09:52 -0600 )edit

5 answers

Sort by ยป oldest newest most voted

answered 2014-04-15 10:12:15 -0600

SGPJ gravatar image

Remove all the rules, then try ping after deleting the flows using ovs-ofctl del-flows and check whether flows are getting added again.

edit flag offensive delete link more


Also you can use firewall as a service to add rules & policies.

SGPJ gravatar imageSGPJ ( 2014-04-19 08:43:43 -0600 )edit

answered 2015-03-03 06:22:35 -0600

alex leonhardt gravatar image

After Icehouse, please see this bug report: (

See my comments at the bottom of it, add those kernel params in and reload neutron-openvswitch-agent on the compute and network nodes.


edit flag offensive delete link more

answered 2014-07-09 18:50:27 -0600

the security rules are getting applied directly onto br-int (which is not yet compatible with iptables rules). Going forward there would be a firewall driver which could leverage OpenFlow and inject the rules directly into the OVS bridge.

edit flag offensive delete link more

answered 2014-04-07 07:53:13 -0600

Emrecan gravatar image

I have the same problem (with the default security group used, I can ping and ssh to the vm (cirros image)). Do you have any idea about how to resolve the issue?

Please, help.

edit flag offensive delete link more

answered 2014-04-15 09:31:58 -0600

mewald gravatar image

Nobody? I have the same issue! Security Groups seem to be completely useless!

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-11-21 10:36:06 -0600

Seen: 1,665 times

Last updated: Mar 03 '15