<div dir="ltr">Hi!<div><br></div><div>I'm facing the same problem, Security Groups are there, at the OVS ports (iptables rules) but, no effect.</div><div><br></div><div>Ubuntu 12.04.3 + Havana from Cloud Archive - Topology "Per-Tenant Router with Private Networks".</div>
<div><br></div><div>Reference: <a href="https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst">https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst</a></div>
<div><br></div><div>Best,</div><div>Thiago</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 5 November 2013 11:57, Simon Pasquier <span dir="ltr"><<a href="mailto:simon.pasquier@bull.net" target="_blank">simon.pasquier@bull.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I'm struggling with security groups on Havana with Neutron and OVS plugin (GRE tunnels). No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0].<br>
<br>
I'm running DevStack on 2 nodes (1 controller + 1 compute):<br>
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.<br>
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0<br>
- libvirt package version: 1.1.1-0ubuntu8~cloud2<br>
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run)<br>
<br>
According to [2], [3] and [4], iptables is not compatible with TAP devices connectd directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch.<br>
<br>
Are the security groups supposed to work when the instance is directly connected to OVS? If yes, what am I doing wrong?<br>
<br>
Regards,<br>
<br>
[0] <a href="http://paste.openstack.org/show/50490/" target="_blank">http://paste.openstack.org/<u></u>show/50490/</a><br>
[1] <a href="http://paste.openstack.org/show/50448/" target="_blank">http://paste.openstack.org/<u></u>show/50448/</a><br>
[2] <a href="http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html" target="_blank">http://www.spinics.net/linux/<u></u>fedora/libvirt-users/msg05384.<u></u>html</a><br>
[3] <a href="http://openvswitch.org/pipermail/discuss/2013-October/011461.html" target="_blank">http://openvswitch.org/<u></u>pipermail/discuss/2013-<u></u>October/011461.html</a><br>
[4] <a href="http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html" target="_blank">http://docs.openstack.org/<u></u>havana/config-reference/<u></u>content/under_the_hood_<u></u>openvswitch.html</a><br>
[5] <a href="http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png" target="_blank">http://docs.openstack.org/<u></u>havana/config-reference/<u></u>content/figures/7/a/a/common/<u></u>figures/under-the-hood-<u></u>scenario-2-ovs-compute.png</a><br>
[6] <a href="http://paste.openstack.org/show/50486/" target="_blank">http://paste.openstack.org/<u></u>show/50486/</a><br>
[7] <a href="http://paste.openstack.org/show/50487/" target="_blank">http://paste.openstack.org/<u></u>show/50487/</a><span class="HOEnZb"><font color="#888888"><br>
-- <br>
Simon Pasquier<br>
Software Engineer<br>
Bull, Architect of an Open World<br>
Phone: <a href="tel:%2B%2033%204%2076%2029%2071%2049" value="+33476297149" target="_blank">+ 33 4 76 29 71 49</a><br>
<a href="http://www.bull.com" target="_blank">http://www.bull.com</a><br>
<br>
______________________________<u></u>_________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
</font></span></blockquote></div><br></div>