Open Stack

Thanks Kris, issue resolved after adding below lines to sysctl.conf

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1


appreciate your help, thanks a lot again.




On Thu, Apr 21, 2016 at 8:25 PM, Kris G. Lindgren <klindgren at godaddy.com>
wrote:

> Make sure that the bridges are being created (1 bridge per vm) they should
> be named close to the vm tap device name.  Then make sure that you have
> bridge nf-call-* files enabled:
>
> http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
>
> Under hybrid mode what happens is a linux bridge (not an ovs bridge
> (brctl)) is created per vm.  The vm's tap device is plugged into this
> bridge.  A veth is created that spans from the vm's linux bridge to br-int
> and is plugged at both ends.  This is done because older versions of OVS
> did not have support (or efficient support) for doing firewalling.  The
> problem is that in the kernel, packets traversing the Openvswitch code
> paths are unable to be hooked into by netfilter.  So the linux bridge is
> created solely to allow the VM traffic to pass through a netfilter
> hookable location, so security groups work.
>
> You need at a minimum to make sure
> /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.  If its not then
> when you look at the iptables rules that are created – you will see that
> none of the security group chains are seeing traffic.
> ___________________________________________________________________
> Kris Lindgren
> Senior Linux Systems Engineer
> GoDaddy
>
> From: raju <raju.roks at gmail.com>
> Date: Thursday, April 21, 2016 at 5:26 PM
> To: "openstack-operators at lists.openstack.org" <
> openstack-operators at lists.openstack.org>
> Subject: [Openstack-operators] Security group rules not working on
> instances kilo
>
> Hi,
>
> I am running into a issue where security group rules are not applying to
> instances when I create a new security group with default rules it should
> reject all incoming traffic but it is allowing everything without blocking
>
> here is my config for nova :
>
> security_group_api = neutron
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> and in ml2.con.ini
>
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> iptables service is running on all the nodes, please suggest me if  I miss
> anything.
>
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160421/cbded5f1/attachment-0001.html>