[openstack-dev] [nova] Incompatibility between Floating Ips and Security Group Rules

Vishvananda Ishaya vishvananda at gmail.com
Fri Sep 14 05:41:29 UTC 2012 

Hello Everyone,

I wanted to let everyone know about an issue that I have been investigating (with a lot of help from Evan Callicoat) that leads to a problem with floating ips and security group rules.  The issue is summed up in a bug[1] reported by zynzel. The quick summary is that if you attempt to allow traffic from a floating ip it does not work if the vm associated with the floating ip is on the same host. I have analyzed this in detail to come up with a decent workaround and I haven't had any luck.

The problem is that the SNAT rule to make the traffic look like it is coming from the floating ip happens in POSTROUTING, which is after the filter rules for the security group are checked. The upshot is that when the filter rules are checked, the traffic still looks like it is coming from the fixed ip, so it doesn't match the security group rule and gets blocked.

Unless someone has a genius idea for a workaround, I'm going to include in the Folsom release notes a warning not to use floating ip address in cidrs for security group rules, and to use the fixed ip address instead.

Note that this means that operators have to be careful to make sure that traffic that is going to other vms does not get snatted.  Traffic from vm -> vm accross the fixed network should be fine, as snat rules are skipped in this case, but traffic going to the floating range may still get snatted. The way to ensure traffic doesn't get snatted to the floating range is to explicitly set a
dmz_cidr=x.x.x.x/y
where x.x.x.x/y is the range of floating ips for each pool of floating ips you define. Note that this configuration is also necessary to make source_groups work if the vms in the source group have floating ips.

I'm open to further investigation and suggestions for working around this. There are ways to fix security groups to track floating ips properly, but it will require some very complicated tracking and updating of security groups. It definitely is something I don't want to try to get in for folsom.

Thanks for any help,
Vish

[1] https://bugs.launchpad.net/nova/+bug/1048624

More information about the OpenStack-dev mailing list