Open Stack

I think this is a combination of two things...


1. When a VM initiates outbound communications, the egress rules

allow associated return traffic.  So if you allow outbound echo

request, the return echo reply will also be allowed.



2. The router interface will respond to ping.

- Jack

From: Narasimhan, Vivekanandan
Sent: Tuesday, May 20, 2014 8:07 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [Neutron][Security Groups] Pings to router ip from VM with default security groups

Hi ,

We have been trying to understand behavior of security group rules in icehouse stable.

The default security group contains 4 rules, two ingress and two egress.

The two ingress rules are one for IPv4 and other for IPv6.
We see both the ingress rules use cyclic security groups, wherein the rule contains remote_security_group_id
the same as the security_group_id itself.

Vm1 <--->  R1 <--> Vm2

Vm1 20.0.0.2
R1 interface 1 - 20.0.0.1
R1 interface 2 - 30.0.0.1
Vm2 30.0.0.2

We saw that with default security groups, Vm1 can ping its DHCP Server IP because of provider_rule in security group rules.

Vm1 is also able to ping Vm2 via router R1, as Vm1 port and Vm2 port share the same security group.

However, we noticed that a Vm1 is also able to ping the router interfaces (R1 interface 1 ip - 20.0.0.1) and also ping router
interface (R1 interface 2 IP - 30.0.0.1)  successfully.

Router interfaces donot have security groups associated with them, so the router interface IPs won' t get added to
the IPTables of the CN where the Vm1 resides.

We are not able to figure how the ping from the Vm1 to the router interfaces work when
no explicit rules are added to allow them.

Could you please throw some light on this?

--
Thanks,

Vivek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140520/f135033e/attachment.html>