<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-compose;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1407190896;
mso-list-type:hybrid;
mso-list-template-ids:-344543130 1712461262 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=FR link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText><span lang=EN-US>Thank you very much, Slawek.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>In case I have multiple configuration files, how to know which one is currently loaded in neutron?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>For example, in my environment I have:<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoPlainText style='mso-list:l0 level1 lfo1'><span lang=EN-US>ml2_conf.ini<o:p></o:p></span></li><li class=MsoPlainText style='mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Lucida Console"'>ml2_conf_odl.ini </span><span lang=EN-US><o:p></o:p></span></li><li class=MsoPlainText style='mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Lucida Console"'>ml2_conf_sriov.ini </span><span lang=EN-US><o:p></o:p></span></li><li class=MsoPlainText style='mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Lucida Console"'>openvswitch_agent.ini </span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span style='font-size:9.0pt;font-family:"Lucida Console"'>sriov_agent.ini<o:p></o:p></span></li></ul><p class=MsoPlainText style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'>[root@overcloud-controller-0 cbis-admin]# cd /etc/neutron/plugins/ml2/<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'>[root@overcloud-controller-0 ml2]# ls<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'>ml2_conf.ini ml2_conf_odl.ini ml2_conf_sriov.ini openvswitch_agent.ini sriov_agent.ini<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Which one of these is used?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Cheers,<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>Ahmed<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US style='mso-fareast-language:FR'>-----Original Message-----<br>From: Slawek Kaplonski <skaplons@redhat.com> <br>Sent: Friday, December 27, 2019 10:28 AM<br>To: ahmed.zaky.abdallah@gmail.com<br>Cc: openstack-discuss@lists.openstack.org<br>Subject: Re: About the use of security groups with neutron ports</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Hi,<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>> On 27 Dec 2019, at 00:14, </span><a href="mailto:ahmed.zaky.abdallah@gmail.com"><span lang=EN-US style='color:windowtext;text-decoration:none'>ahmed.zaky.abdallah@gmail.com</span></a><span lang=EN-US> wrote:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Hi All,<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> I am trying to wrap my head around something I came across in one of the OpenStack deployments. I am running Telco VNFs one of them is having different VMs using SR-IOV interfaces. <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> On one of my VNFs on Openstack, I defined a wrong IPv6 Gm bearer interface to be exactly the same as the IPv6 Gateway. As I hate re-onboarding, I decided to embark on a journey of changing the IPv6 of the Gm bearer interface manually on the application side, everything went on fine.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> After two weeks, my customer started complaining about one way RTP flow. The customer was reluctant to blame the operation I carried out because everything worked smooth after my modification. <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> After days of investigation, I remembered that I have port-security enabled and this means AAP “Allowed-Address-Pairs” are defined per vPort (AAP contain the floating IP address of the VM so that the security to allow traffic to and from this VIP). I gave it a try and edited AAP “Allowed-Address-Pairs” to include the correct new IPv6 address. Doing that everything started working fine.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> The only logical explanation at that time is security group rules are really invoked. <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Now, I am trying to understand how the iptables are really invoked. I did some digging and it seems like we can control the firewall drivers on two levels:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> • Nova compute <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> • ML2 plugin<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> I was curious to check nova.conf and it has already the following line: firewall_driver=nova.virt.firewall.NoopFirewallDriver<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> However, checking the ml2 plugin configuration, the following is found:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 230 [securitygroup]<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 231<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 232 #<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 233 # From neutron.ml2<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 234 #<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 235<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 236 # Driver for security groups firewall in the L2 agent (string value)<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 237 #firewall_driver = <None><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> 238 firewall_driver = openvswitch<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> So, I am jumping to a conclusion that ml2 plugin is the one responsible for enforcing the firewall rules in my case.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Have you had a similar experience?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Is my assumption correct: If I comment out the ml2 plugin firewall driver then the port security carries no sense at all and security groups won’t be invoked?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Firewall_driver config option has to be set to some value. You can set “noop” as firewall_driver to completely disable this feature for all ports.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>But please remember that You need to set it on agent’s side so it’s on compute nodes, not on neutron-server side.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>Also, if You want to disable it only for some ports, You can set “port_security_enabled” to False and than SG will not be applied for such port and You will not need to configure any additional IPs in allowed address pairs for this port.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Cheers,<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> Ahmed<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>— <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>Slawek Kaplonski<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>Senior software engineer<o:p></o:p></span></p><p class=MsoPlainText>Red Hat<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p></div></body></html>