[openstack-dev] [neutron] Missing openvswitch filter rules

Jeff Feng jianhua at us.ibm.com
Sat Jun 13 14:38:49 UTC 2015 

I'm using OVSHybridIptablesFirewallDriver in ovs_neutron_plugin.ini

[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True

But I can not see any related rules added in iptables after restart
neutron-openvswitch-agent.

Anyone have seen same issue before ? This is in Juno release.
any idea which configuration could be wrong/missed ?


# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-openvswi-INPUT all -- anywhere anywhere
FWR all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-FORWARD all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-OUTPUT all -- anywhere anywhere

Chain FWR (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiport dports 52311
ACCEPT udp -- anywhere anywhere multiport dports 52311
ACCEPT udp -- anywhere anywhere multiport dports 55400:55415
ACCEPT udp -- anywhere anywhere multiport sports 55400:55415
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable

Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-openvswi-local all -- anywhere anywhere

Chain neutron-openvswi-FORWARD (1 references)
target prot opt source destination

Chain neutron-openvswi-INPUT (1 references)
target prot opt source destination

Chain neutron-openvswi-OUTPUT (1 references)
target prot opt source destination

Chain neutron-openvswi-local (1 references)
target prot opt source destination

Chain neutron-openvswi-sg-chain (0 references)
target prot opt source destination

Chain neutron-openvswi-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Thanks
Jeff Feng


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150613/8113d6a3/attachment.html>

More information about the OpenStack-dev mailing list