[neutron] OpenvSwitch firewall sctp getting dropped

Sean Mooney smooney at redhat.com
Mon Jul 29 18:26:56 UTC 2019

On Mon, 2019-07-29 at 22:38 +0700, thuanlk at viettel.com.vn wrote:
> I have installed Openstack Queens on CentOs 7 with OvS and I recently used
> the native openvswitch firewall to implement SecusiryGroup. The native OvS
> firewall seems to work just fine with TCP/UDP traffic but it does not
> forward any SCTP traffic going to the VMs no matter how I change the
> security groups, But it run if i disable port security completely or use
> iptables_hybrid firewall driver. What do I have to do to allow SCTP packets
> to reach the VMs?
the security groups api is a whitelist model so all traffic is droped by default.

if you want to allow sctp you would ihave to create an new security group rule with
ip_protocol set to the protocol number for sctp.

openstack security group rule create --protocol sctp ...

im not sure if neutron support --dst-port for sctp
but you can still filter on --remote-ip or --remote-group
and can specify the rule as an  --ingress or  --egress rule
as normal.


based on this commit https://github.com/openstack/neutron/commit/f711ad78c5c0af44318c6234957590c91592b984

it looks like neutron now validates the prot ranges for sctp impligying it support setting them
so i gues its just a gap in the documentation.


More information about the openstack-discuss mailing list