How works Security Groups?

asked 2016-05-18 09:48:45 -0600

David17 gravatar image


I would like to know how really works the security groups, What is the mechanism to pass the rules to the machines? It use a orchestation tool? Where I can find this information?


edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2016-05-19 10:34:12 -0600

rmelton gravatar image

updated 2016-05-19 11:19:28 -0600

Security Group rules are enforced by Linux iptable rules at the compute host level. I'm using DVR (dist virtual routing) on Kilo, here are some rules dumped out on a compute host:

sudo iptables -L

Chain neutron-openvswi-i76b78cbd-2 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp
RETURN     udp  --  anywhere             anywhere             udp
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

yes, you can create security group rules in Heat orchestration template. Here is a brief example:

    type: OS::Neutron::SecurityGroup
      description: Neutron security group rules
      name: mysecurity_group
      - remote_ip_prefix:
        protocol: tcp
        port_range_min: 0
        port_range_max: 65535
        direction: ingress
edit flag offensive delete link more


I'm new to the whole OpenStack networking but this article (1) suggests they're implemented on virtual switch instead of on the hosts themselves. I tried finding more info about that but couldn't.

1) (

petrroll gravatar imagepetrroll ( 2018-07-12 13:06:44 -0600 )edit

answered 2016-05-19 05:42:48 -0600

dbaxps gravatar image
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-05-18 09:48:45 -0600

Seen: 1,017 times

Last updated: May 19 '16