[neutron] OpenvSwitch firewall sctp getting dropped

thuanlk at viettel.com.vn thuanlk at viettel.com.vn
Tue Jul 30 04:21:32 UTC 2019

I have tried config SCTP but nothing change!

openstack security group rule create --ingress --remote-ip --protocol 132 --dst-port 2000:10000 --description "SCTP" sctp
openstack security group rule create --egress --remote-ip --protocol 132 --dst-port 2000:10000 --description "SCTP" sctp

Displaying 2 items
Direction	Ether Type	IP Protocol	Port Range	Remote IP Prefix	Remote Security Group	Actions
Egress	IPv4	132	2000 - 10000	-	
Ingress	IPv4	132	2000 - 10000	-	

Thanks and best regards !

Lăng Khắc Thuận
+(84)- 966463589

-----Original Message-----
From: smooney at redhat.com [mailto:smooney at redhat.com] 
Sent: Tuesday, July 30, 2019 1:27 AM
To: thuanlk at viettel.com.vn; openstack-discuss at lists.openstack.org
Subject: Re: [neutron] OpenvSwitch firewall sctp getting dropped

On Mon, 2019-07-29 at 22:38 +0700, thuanlk at viettel.com.vn wrote:
> I have installed Openstack Queens on CentOs 7 with OvS and I recently 
> used the native openvswitch firewall to implement SecusiryGroup. The 
> native OvS firewall seems to work just fine with TCP/UDP traffic but 
> it does not forward any SCTP traffic going to the VMs no matter how I 
> change the security groups, But it run if i disable port security 
> completely or use iptables_hybrid firewall driver. What do I have to 
> do to allow SCTP packets to reach the VMs?
the security groups api is a whitelist model so all traffic is droped by default.

if you want to allow sctp you would ihave to create an new security group rule with ip_protocol set to the protocol number for sctp.

openstack security group rule create --protocol sctp ...

im not sure if neutron support --dst-port for sctp but you can still filter on --remote-ip or --remote-group and can specify the rule as an  --ingress or  --egress rule as normal.


based on this commit https://github.com/openstack/neutron/commit/f711ad78c5c0af44318c6234957590c91592b984

it looks like neutron now validates the prot ranges for sctp impligying it support setting them so i gues its just a gap in the documentation.


More information about the openstack-discuss mailing list