Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

rules not working properly on security groups

I did not apply the ICMP rule but I am able to ping the vm.

[root@n42-poweredge-3 ~]# iptables -S | grep tap607c43ff-13

-A neutron-openvswi-FORWARD -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

-A neutron-openvswi-FORWARD -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

-A neutron-openvswi-INPUT -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

-A neutron-openvswi-sg-chain -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-i607c43ff-1

-A neutron-openvswi-sg-chain -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

[root@n42-poweredge-3 ~]# iptables -s neutron-openvswi-i607c43ff-1

iptables v1.4.21: no command specified

Try `iptables -h' or 'iptables --help' for more information.

[root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-i607c43ff-1

Chain neutron-openvswi-i607c43ff-1 (1 references)

target prot opt source destination

DROP all -- anywhere anywhere state INVALID

RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RETURN udp -- 10.10.10.3 anywhere udp spt:bootps dpt:bootpc

RETURN tcp -- 10.0.0.0/24 anywhere tcp multiport dports tcpmux:65535

neutron-openvswi-sg-fallback all -- anywhere anywhere

[root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-o607c43ff-1

Chain neutron-openvswi-o607c43ff-1 (2 references)

target prot opt source destination

RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps

neutron-openvswi-s607c43ff-1 all -- anywhere anywhere

DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc

DROP all -- anywhere anywhere state INVALID

RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RETURN tcp -- anywhere 10.0.0.0/24 tcp multiport dports tcpmux:65535

neutron-openvswi-sg-fallback all -- anywhere anywhere

[root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-s607c43ff-1

Chain neutron-openvswi-s607c43ff-1 (1 references)

target prot opt source destination

RETURN all -- 10.10.10.7 anywhere MAC FA:16:3E:B9:47:3B

DROP all -- anywhere anywhere

rules not working properly on security groups

I did not apply the ICMP rule but I am able to ping the vm.

 [root@n42-poweredge-3 ~]# iptables -S | grep tap607c43ff-13

tap607c43ff-13 -A neutron-openvswi-FORWARD -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-sg-chain

neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

neutron-openvswi-o607c43ff-1 -A neutron-openvswi-sg-chain -m physdev --physdev-out tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-i607c43ff-1

neutron-openvswi-i607c43ff-1 -A neutron-openvswi-sg-chain -m physdev --physdev-in tap607c43ff-13 --physdev-is-bridged -j neutron-openvswi-o607c43ff-1

neutron-openvswi-o607c43ff-1 [root@n42-poweredge-3 ~]# iptables -s neutron-openvswi-i607c43ff-1

neutron-openvswi-i607c43ff-1 iptables v1.4.21: no command specified

specified Try `iptables -h' or 'iptables --help' for more information.

information. [root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-i607c43ff-1

neutron-openvswi-i607c43ff-1 Chain neutron-openvswi-i607c43ff-1 (1 references)

references) target prot opt source destination

destination DROP all -- anywhere anywhere state INVALID

INVALID RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RELATED,ESTABLISHED RETURN udp -- 10.10.10.3 anywhere udp spt:bootps dpt:bootpc

dpt:bootpc RETURN tcp -- 10.0.0.0/24 anywhere tcp multiport dports tcpmux:65535

tcpmux:65535 neutron-openvswi-sg-fallback all -- anywhere anywhere

anywhere [root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-o607c43ff-1

neutron-openvswi-o607c43ff-1 Chain neutron-openvswi-o607c43ff-1 (2 references)

references) target prot opt source destination

destination RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps

dpt:bootps neutron-openvswi-s607c43ff-1 all -- anywhere anywhere

anywhere DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc

dpt:bootpc DROP all -- anywhere anywhere state INVALID

INVALID RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RELATED,ESTABLISHED RETURN tcp -- anywhere 10.0.0.0/24 tcp multiport dports tcpmux:65535

tcpmux:65535 neutron-openvswi-sg-fallback all -- anywhere anywhere

anywhere > [root@n42-poweredge-3 ~]# iptables -L neutron-openvswi-s607c43ff-1

neutron-openvswi-s607c43ff-1 Chain neutron-openvswi-s607c43ff-1 (1 references)

references) target prot opt source destination

destination RETURN all -- 10.10.10.7 anywhere MAC FA:16:3E:B9:47:3B

FA:16:3E:B9:47:3B DROP all -- anywhere anywhere

anywhere