[Openstack-operators] Floating ips vs security groups issue

Linux Datacenter linuxdatacenter at gmail.com
Thu Mar 8 10:11:06 UTC 2012


I've run into a funny issue today.

2 different vm-s from the same project landed on the same physical

Security groups for the project filter traffic based on floating ips
assigned to vm-s. It looks like this:

| IP Protocol | From Port | To Port |    IP Range    | Source Group |
|tcp         | 6379      | 6379    | <floating_ip_addr>/32

However - this rule does not work if the server (which listens on port 6379
in this case) and client (the one that owns floating_ip_addr) are located
on the same physical server (hypervisor).
This is because in the PREROUTING chain there are DNAT rules which
substitude floating_ip_addr of the server with its fixed_ip_addr.

1. The traffic from client never goes beyond br100 and never hits the
POSTROUTING chain where SNAT is done.
2. For the server, the client traffic appears as it is coming straight from
its fixed_ip.
3. The firewall rules for the server only let floating_ip_addr in, which
results in packet drops.

You still can work it around by filtering traffic based on fixed_ips, but I
think one needs to assume, that most of the clients will want to operate on
floating ips when it comes to security groups. It also causes a security
risk as fixed ips may be recycled and reused by other projects.

Anyone came across that? How did you work it around?


checkout my blog on linux clusters:
-- linuxdatacenter.blogspot.com --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20120308/0076f0e0/attachment-0002.html>

More information about the Openstack-operators mailing list