Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

how security group is implemented

Hi there,

I thought this is a straightforward thing to find out but it turned not. I created a security group to allow ssh and http and run an instance with it. On its physical host, I see the following proper iptables rules

Chain nova-compute-inst-20 (1 references) target prot opt source destination
DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc ACCEPT all -- 192.168.253.0/24 anywhere
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http nova-compute-sg-fallback all -- anywhere anywhere

The libvirt XML shows interface type='bridge'> <mac address="02:16:3e:05:67:78"/> <source bridge="br2"/> <target dev="vnet2"/> <filterref filter="nova-instance-instance-00000014-02163e056778"> <parameter name="DHCPSERVER" value="192.168.253.1"/> <parameter name="IP" value="192.168.253.3"/> </filterref> <alias name="net0"/>

</interface>

So I went to look at its nwfilter [root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778 <filter name="nova-instance-instance-00000014-02163e056778" chain="root"> <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid> <filterref filter="nova-base"/> </filter>

It references the nova-base nwfilter, which is [root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base <filter name="nova-base" chain="root"> <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid> <filterref filter="no-mac-spoofing"/> <filterref filter="no-ip-spoofing"/> <filterref filter="no-arp-spoofing"/> <filterref filter="allow-dhcp-server"/> </filter>

But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked. Is it run directly by iptables, without using the libvirt nwfilter? I would assume it is a natural way to directly use nwfilter for security groups, right?

Thanks. Shi