[openstack-dev] [Openstack-security] Neutron security groups for L2 networks in Havana
Aaron Rosen
arosen at nicira.com
Fri Nov 8 07:42:50 UTC 2013
On Thu, Nov 7, 2013 at 12:23 PM, Kanthi P <pavuluri.kanthi at gmail.com> wrote:
> Hi,
>
> I am trying to boot a VM which has a network without subnet in Havana, but
> it throws an exception saying that subnet is mandatory if quantum security
> groups are enabled.
>
> Here are the commands I used.
>
> neutron net-create testNet
> neutron net-show testNet
> +---------------------------+--------------------------------------+
> | Field | Value |
> +---------------------------+--------------------------------------+
> | admin_state_up | True |
> | id | 47208beb-2801-4729-bc7b-6532717232fc |
> | name | testNet |
> | provider:network_type | local |
> | provider:physical_network | |
> | provider:segmentation_id | |
> | router:external | False |
> | shared | False |
> | status | ACTIVE |
> | subnets | |
> | tenant_id | b5b591dcda2645cd9d15a4fe3eb1b50d |
> +---------------------------+--------------------------------------+
>
> nova boot --flavor 2 --image 30c1984c-8a4f-4e3f-8c9a-7de0b321caa2 --nic
> net-id=47208beb-2801-4729-bc7b-6532717232fc testServer1
>
> Here is the piece of code which generated this exception
>
> nova/network/neutronv2/api.py
>
> if (security_groups and not (
> network['subnets']
> and network.get('port_security_enabled', True))):
>
> raise exception.SecurityGroupCannotBeApplied()
>
>
> Can someone please explain why do we need this check?
>
Hi Kanthi,
We need this check because because in order to enforce security groups the
port needs to have an ip_address (i.e: network needs a subnet) since
Security groups only map to L3/4 headers. Today, nova automatically adds a
default security group to all instances when booted. Hopefully we can punt
this task off to neutron in this release by moving the port-creation up on
the stack to nova-api instead of nova-compute though this isn't the case
right now.
Aaron
>
> To my understanding subnet is used for two purposes in terms of security
> groups
> 1. To allow dhcp traffic if dhcp is enabled on the subnet, example given
> below
> -A quantum-openvswi-i7bf776d2-b -s 192.168.1.3/32 -p udp -m udp
> --sport 67 --dport 68 -j RETURN
> 2. To avoid ip spoof
> -A quantum-openvswi-o7bf776d2-b ! -s 192.168.1.2/32 -j DROP
>
> Can we remove this so that we can have guests which has nic with just MAC
> address, guest can configure its own ipaddress. Later if needed they can
> enable their own security rules via quantum api.
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131107/f4c3a65b/attachment.html>
More information about the OpenStack-dev
mailing list