About the use of security groups with neutron ports

Slawek Kaplonski skaplons at redhat.com
Fri Dec 27 09:28:11 UTC 2019


> On 27 Dec 2019, at 00:14, ahmed.zaky.abdallah at gmail.com wrote:
> Hi All,
> I am trying to wrap my head around something I came across in one of the OpenStack deployments. I am running Telco VNFs one of them is having different VMs using SR-IOV interfaces. 
> On one of my VNFs on Openstack, I defined a wrong IPv6 Gm bearer interface to be exactly the same as the IPv6 Gateway. As I hate re-onboarding, I decided to embark on a journey of changing the IPv6 of the Gm bearer interface manually on the application side, everything went on fine.
> After two weeks, my customer started complaining about one way RTP flow. The customer was reluctant to blame the operation I carried out because everything worked smooth after my modification. 
> After days of investigation, I remembered that I have port-security enabled and this means AAP “Allowed-Address-Pairs” are defined per vPort (AAP contain the floating IP address of the VM so that  the security to allow traffic to and from this VIP). I gave it a try and edited AAP “Allowed-Address-Pairs” to include the correct new IPv6 address. Doing that everything started working fine.
> The only logical explanation at that time is security group rules are really invoked. 
> Now, I am trying to understand how the iptables are really invoked. I did some digging and it seems like we can control the firewall drivers on two levels:
> 	• Nova compute 
> 	• ML2 plugin
> I was curious to check nova.conf and it has already the following line: firewall_driver=nova.virt.firewall.NoopFirewallDriver
> However, checking the ml2 plugin configuration, the following is found:
>     230 [securitygroup]
>     231
>     232 #
>     233 # From neutron.ml2
>     234 #
>     235
>     236 # Driver for security groups firewall in the L2 agent (string value)
>     237 #firewall_driver = <None>
>     238 firewall_driver = openvswitch
> So, I am jumping to a conclusion that ml2 plugin is the one responsible for enforcing the firewall rules in my case.
> Have you had a similar experience?
> Is my assumption correct: If I comment out the ml2 plugin firewall driver then the port security carries no sense at all and security groups won’t be invoked?

Firewall_driver config option has to be set to some value. You can set “noop” as firewall_driver to completely disable this feature for all ports.
But please remember that You need to set it on agent’s side so it’s on compute nodes, not on neutron-server side.
Also, if You want to disable it only for some ports, You can set “port_security_enabled” to False and than SG will not be applied for such port and You will not need to configure any additional IPs in allowed address pairs for this port.

> Cheers,
> Ahmed

Slawek Kaplonski
Senior software engineer
Red Hat

More information about the openstack-discuss mailing list