About the use of security groups with neutron ports

ahmed.zaky.abdallah at gmail.com ahmed.zaky.abdallah at gmail.com
Thu Dec 26 23:14:04 UTC 2019 

Hi All,

 

I am trying to wrap my head around something I came across in one of the OpenStack deployments. I am running Telco VNFs one of them is having different VMs using SR-IOV interfaces. 

 

On one of my VNFs on Openstack, I defined a wrong IPv6 Gm bearer interface to be exactly the same as the IPv6 Gateway. As I hate re-onboarding, I decided to embark on a journey of changing the IPv6 of the Gm bearer interface manually on the application side, everything went on fine.

 

After two weeks, my customer started complaining about one way RTP flow. The customer was reluctant to blame the operation I carried out because everything worked smooth after my modification. 

After days of investigation, I remembered that I have port-security enabled and this means AAP “Allowed-Address-Pairs” are defined per vPort (AAP contain the floating IP address of the VM so that  the security to allow traffic to and from this VIP). I gave it a try and edited AAP “Allowed-Address-Pairs” to include the correct new IPv6 address. Doing that everything started working fine.

 

The only logical explanation at that time is security group rules are really invoked. 

 

Now, I am trying to understand how the iptables are really invoked. I did some digging and it seems like we can control the firewall drivers on two levels:

 

*	Nova compute 
*	ML2 plugin

 

I was curious to check nova.conf and it has already the following line: firewall_driver=nova.virt.firewall.NoopFirewallDriver

 

However, checking the ml2 plugin configuration, the following is found:

 

    230 [securitygroup]

    231

    232 #

    233 # From neutron.ml2

    234 #

    235

    236 # Driver for security groups firewall in the L2 agent (string value)

    237 #firewall_driver = <None>

    238 firewall_driver = openvswitch

 

So, I am jumping to a conclusion that ml2 plugin is the one responsible for enforcing the firewall rules in my case.

 

Have you had a similar experience?

Is my assumption correct: If I comment out the ml2 plugin firewall driver then the port security carries no sense at all and security groups won’t be invoked?

 

Cheers,

Ahmed

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191227/5f3b949f/attachment.html>

More information about the openstack-discuss mailing list