Open Stack

On 05/08/2019 12:01, thuanlk at viettel.com.vn wrote:
> I have tried any version of OpenvSwitch but problem continue happened.
> Is Openvswitch firewall support sctp?

Yes, as long as you have sctp conntrack support in kernel. Can you paste
output of 'ovs-ofctl dump-flows br-int | grep +inv' on the node where
the VM using sctp is running? If the counters are not 0 it's likely that
you're missing the sctp conntrack kernel module.

Jakub

> 
> Thanks and best regards !
> 
> ---------------------------------------
> Lăng Khắc Thuận
> OCS Cloud | OCS (VTTEK)
> +(84)- 966463589
> 
> 
> -----Original Message-----
> From: Lang Khac Thuan [mailto:thuanlk at viettel.com.vn] 
> Sent: Tuesday, July 30, 2019 11:22 AM
> To: 'smooney at redhat.com' <smooney at redhat.com>; 'openstack-discuss at lists.openstack.org' <openstack-discuss at lists.openstack.org>
> Subject: RE: [neutron] OpenvSwitch firewall sctp getting dropped
> 
> I have tried config SCTP but nothing change!
> 
> openstack security group rule create --ingress --remote-ip 0.0.0.0/0 --protocol 132 --dst-port 2000:10000 --description "SCTP" sctp openstack security group rule create --egress --remote-ip 0.0.0.0/0 --protocol 132 --dst-port 2000:10000 --description "SCTP" sctp
> 
> Displaying 2 items
> Direction	Ether Type	IP Protocol	Port Range	Remote IP Prefix	Remote Security Group	Actions
> Egress	IPv4	132	2000 - 10000	0.0.0.0/0	-	
> Ingress	IPv4	132	2000 - 10000	0.0.0.0/0	-	
> 
> 
> Thanks and best regards !
> 
> ---------------------------------------
> Lăng Khắc Thuận
> OCS Cloud | OCS (VTTEK)
> +(84)- 966463589
> 
> 
> -----Original Message-----
> From: smooney at redhat.com [mailto:smooney at redhat.com]
> Sent: Tuesday, July 30, 2019 1:27 AM
> To: thuanlk at viettel.com.vn; openstack-discuss at lists.openstack.org
> Subject: Re: [neutron] OpenvSwitch firewall sctp getting dropped
> 
> On Mon, 2019-07-29 at 22:38 +0700, thuanlk at viettel.com.vn wrote:
>> I have installed Openstack Queens on CentOs 7 with OvS and I recently 
>> used the native openvswitch firewall to implement SecusiryGroup. The 
>> native OvS firewall seems to work just fine with TCP/UDP traffic but 
>> it does not forward any SCTP traffic going to the VMs no matter how I 
>> change the security groups, But it run if i disable port security 
>> completely or use iptables_hybrid firewall driver. What do I have to 
>> do to allow SCTP packets to reach the VMs?
> the security groups api is a whitelist model so all traffic is droped by default.
> 
> if you want to allow sctp you would ihave to create an new security group rule with ip_protocol set to the protocol number for sctp.
> 
> e.g. 
> openstack security group rule create --protocol sctp ...
> 
> im not sure if neutron support --dst-port for sctp but you can still filter on --remote-ip or --remote-group and can specify the rule as an  --ingress or  --egress rule as normal.
> 
> https://docs.openstack.org/python-openstackclient/stein/cli/command-objects/security-group-rule.html
> 
> based on this commit https://github.com/openstack/neutron/commit/f711ad78c5c0af44318c6234957590c91592b984
> 
> it looks like neutron now validates the prot ranges for sctp impligying it support setting them so i gues its just a gap in the documentation.
> 
> 
> 
>>
> 
>