<div dir="ltr"><div>Do you have: <br><br> firewall_driver=nova.virt.firewall.IptablesFirewallDriver<br><br></div>in your nova.conf? In folsom, quantum leveraged nova security groups implementation directly so you need that. (looks like you have that set though by your output). <br>
<br>Aaron<br><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jun 16, 2013 at 7:38 PM, Chandler Li <span dir="ltr"><<a href="mailto:lichandler116@gmail.com" target="_blank">lichandler116@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div>I checked the compute node's iptables rules and found out the nova-compute-inst-xxx have no traffic flow.</div>
<div>The traffic flow stopped at nova-filter-top chain rule, so security group is not working.<br>
</div><div>Any idea how to resolve this problem?</div><div><br></div><div>Thanks,</div><div>Chandler</div><div><br></div><div>[root@compute1 ~]# iptables -L -v -n</div><div>Chain INPUT (policy ACCEPT 714 packets, 335K bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 369 117K nova-compute-INPUT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:53</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:53</div>
<div> 0 0 ACCEPT udp -- virbr0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:67</div><div> 0 0 ACCEPT tcp -- virbr0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:67</div>
<div> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:5900</div><div><br></div>
<div>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 nova-filter-top all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 nova-compute-FORWARD all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> 0 0 ACCEPT all -- * virbr0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT all -- virbr0 * <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> 0 0 ACCEPT all -- virbr0 virbr0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 REJECT all -- * virbr0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> reject-with icmp-port-unreachable</div>
<div> 0 0 REJECT all -- virbr0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> reject-with icmp-port-unreachable</div>
<div><br></div><div>Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes)</div><div> pkts bytes target prot opt in out source destination</div><div> 437 233K nova-filter-top all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 396 216K nova-compute-OUTPUT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div><br></div><div>Chain nova-compute-FORWARD (1 references)</div>
<div> pkts bytes target prot opt in out source destination</div><div><br></div><div>Chain nova-compute-INPUT (1 references)</div><div> pkts bytes target prot opt in out source destination</div>
<div><br></div><div>Chain nova-compute-OUTPUT (1 references)</div><div> pkts bytes target prot opt in out source destination</div><div><br></div><div>Chain nova-compute-inst-767 (1 references)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID</div>
<div> 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED</div><div>
0 0 nova-compute-provider all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 ACCEPT udp -- * * 30.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67 dpt:68</div><div> 0 0 ACCEPT all -- * * <a href="http://30.0.0.0/24" target="_blank">30.0.0.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22</div><div> 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div> 0 0 nova-compute-sg-fallback all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div><br></div><div>Chain nova-compute-local (1 references)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 nova-compute-inst-767 all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 30.0.0.5</div>
<div>
<br></div><div>Chain nova-compute-provider (1 references)</div><div> pkts bytes target prot opt in out source destination</div><div><br></div><div>Chain nova-compute-sg-fallback (1 references)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div><br></div><div>Chain nova-filter-top (2 references)</div><div> pkts bytes target prot opt in out source destination</div><div> 396 216K nova-compute-local all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div><div class="h5">
<div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/6/14 Chandler Li <span dir="ltr"><<a href="mailto:lichandler116@gmail.com" target="_blank">lichandler116@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:14px">Hello,</span><br><div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div>I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS 6.3 (2012.2.3-1.el6@epel).</div>
<div><br></div><div>Everything looks good, except security group,</div><div><br></div><div>and there are no error message in /var/log/nova/compute.log file.</div><div><br></div><div>After I created VM, I can see the bridges and interfaces have been created normally. </div>
<div><div><br></div><div> [root@compute1 ~]# brctl show</div><div> bridge name bridge id STP enabled interfaces</div><div> br-int 0000.3eca2e714b4d no qvo756ead5d-32</div>
<div> br-tun 0000.824651aab541 no</div><div> qbr756ead5d-32 0000.ca57ea41484c no qvb756ead5d-32</div><div> vnet0</div>
<div><br></div><div>The chain rules in filter table of iptables can reflect security group rules correctly too.</div><div><br></div><div><div> Chain nova-compute-inst-749 (1 references)</div><div> num target prot opt source destination</div>
<div> 1 DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID</div><div> 2 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED</div>
<div> 3 nova-compute-provider all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> 4 ACCEPT udp -- 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67 dpt:68</div>
<div> 5 ACCEPT all -- <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> 6 nova-compute-sg-fallback all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
</div><div><br></div><div>Obviously, the packets do not follow these rules correctly. </div><div><br></div><div>Please advise me how to resolve this problem.</div><div><br></div><div>Thanks a lot,</div><div>
Chandler</div></div></div>
</blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>