[Openstack-operators] Help on Iptables in Openstack
jesse.pretorius at gmail.com
Tue Apr 1 07:14:41 UTC 2014
On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:
> Thank you for response. I tried adding security-groups from dashboard, but
> it doesnt help. I was trying to spoof a VM instance with spoof source MAC
> and spoof source IP, but the packet is not reaching br-int. If I give
> proper source MAC and proper source IP, the packet reaches br-int and
> things work normal. I observed Openstack stops spoof packets which are
> not originating from VM instance before reaching br-int (at tap interface).
In this case applying security groups won't help at all. Both MAC and IP
Spoofing protection is enabled on the hypervisor level by libvirt as part
of the instance instantiation. More details here:
> I need help to send a spoof packet from VM. Is there any way to disable
> iptable rules.
There is, but it's global for that compute host - the templates that apply
the network filters to protect against spoofing need to be removed.
> Also adding security group rules using command line and using dash-board
> are they same?
Yes - almost. I don't know if Horizon's interface to security groups is
still going through the nova api in Icehouse. If it is, the application of
the rules is only ingress whereas through the neutron CLI you're able to
define ingress and egress rules. On the CLU you're also able to be more
granular in the application of your rules/groups.
>From a use-case standpoint it may be interesting to understand why you need
to allow spoofing - if you don't mind, can you describe the purpose? We may
be able to help you find an alternative method.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators